[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Trouble with NAT entries and route maps for multiple ISPs

Below is a very simplified config for my edge router.  We want one internal host to go out Carrier 1 and the other to go our Carrier 2.

The first translation for 172.20.2.4 does not work properly and users cannot access the internal host from the internet.  I can get to it from the 64.1.1.0/27 subnet though.  The translation for 172.20.2.3 DOES work properly.  This has to be an issue with thar route map and that the ourbound traffic is trying to exit from Fa0/2.  Can you please assist?

NOTE:  10.x.x.x and 159.x.x.x are subnets at a busines partner connected via 172.20.15.1
interface FastEthernet0/0
 description B2B Connection
 ip address 172.20.15.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address 172.20.0.38 255.255.255.248
 ip nat inside
 ip policy route-map INTERNET_ACCESS
!
interface FastEthernet0/2
 description Carrier #2 6Mb to WWW
 ip address 64.1.1.2 255.255.255.224
 ip access-group 104 in
 ip nat outside
!
interface FastEthernet0/4
 description Carrier #1 3Mb to WWW
 ip address 206.1.1.2 255.255.255.224
 ip access-group 103 in
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 206.1.1.1
!
ip nat pool CARRIER1-POOL 206.1.1.10 206.1.1.12 netmask 255.255.255.224
ip nat pool CARRIER2-POOL 64.1.1.10 64.1.1.12 netmask 255.255.255.224
ip nat inside source route-map CARRIER2-MAP pool CARRIER2-POOL overload
ip nat inside source route-map CARRIER1-MAP pool CARRIER1-POOL overload
!
ip nat inside source static tcp 172.20.2.4 80 64.1.1.7 80 extendable
ip nat inside source static tcp 172.20.2.3 80 206.1.1.7 80 extendable
!
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 206.0.0.7 eq www
access-list 104 permit icmp any any
access-list 104 permit tcp any host 64.1.1.7 eq www
access-list 110 deny   tcp host 172.20.2.4 any eq www
access-list 110 deny   tcp any host 170.20.2.4 eq www
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 159.0.0.0 0.0.255.255
access-list 120 permit tcp host 172.20.2.4 any eq www
access-list 120 permit tcp any host 172.20.2.4 eq www
access-list 130 permit ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any 159.0.0.0 0.0.255.255
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 206.1.1.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 120
 set ip next-hop 64.1.1.1
!
route-map INTERNET_ACCESS permit 30
 match ip address 130
 set ip next-hop 172.20.15.1
!
route-map CARRIER1-MAP permit 10
 match ip address 100
 match interface Fa0/4
!
route-map CARRIER2-MAP permit 10
 match ip address 100
 match interface Fa0/2

Open in new window

0
David Blair
Asked:
David Blair
  • 5
  • 5
  • 3
  • +1
1 Solution
 
jmeggersCommented:
ACL 110 is all denies.  You need at least one permit statement.  In your case, it should just be a host (source) permit any.  The second ACL would be for the other host source address permit any.
0
 
David BlairAuthor Commented:
Thanks for the reply.

ACL 110 identifies traffic heading out via Carrier 1, and I thought permit statements weren't necessary due to the default route for Carrier 1.

Are you suggesting I add a permit statement for 172.20.2.3 to ACL 110?  Please help me understand the reason for that.  Again, 172.20.2.3 is working fine; it's 172.20.2.4 that's giving me the trouble.

Don't the denies just push certain traffic down to the other entries in the route map.

Thanks,
0
 
SouljaCommented:
Yeah, as set in the config posted. ACL 110 is pretty much useless. The only thing you need to state in it a the traffic you want to permit. After that the implicit deny will take care of the other traffic.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
SouljaCommented:
172.20.2.3 works because you permit it in ACL 100, but you explicitly deny 2.4 in acl 110. That is why 2.3 works and 2.4 doesn't
0
 
David BlairAuthor Commented:
That starts to make sense...

But, if I permit 2.4 in ACL 110 won't it set next hop to 206.1.1.1 instead of 64.1.1.1?
0
 
SouljaCommented:
Hold on a sec, so currently. 2.3 is in fact being route mapped by which router map?
0
 
David BlairAuthor Commented:
That traffic is taking the default route our carrier 1
0
 
SouljaCommented:
Oh okay, so it is working because it isn't using any router-maps.

route-map INTERNET_ACCESS permit 10    servers no purpose. I would remove it.

ACL 120 doesn't need this:

access-list 120 permit tcp any host 172.20.2.4 eq www

Otherwise, I don't see why ACL 120 wouldn't catch 2.4 and route it to 64.1.1.1
0
 
rochey2009Commented:
Hi,

Is 206.1.1.7 permitted for www in access-list 103?
0
 
David BlairAuthor Commented:
Sorry, typo there in the config.  YES, it's in there.  Just didn't fix it properly when I was cleaning the config up for EE.
0
 
SouljaCommented:
Good catch rochey! Is that a typo author?
0
 
rochey2009Commented:

I think access-list 120 permit tcp host 172.20.2.4 any eq www is incorrect

and should read

access-list 120 permit tcp host 172.20.2.4 eq www any

since it's return traffic sourced by the web server 172.20.2.4


0
 
David BlairAuthor Commented:
That sure was the problem.  Good eye!
0
 
rochey2009Commented:
You're welcome.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now