?
Solved

Trouble with NAT entries and route maps for multiple ISPs

Posted on 2011-09-30
14
Medium Priority
?
230 Views
Last Modified: 2012-05-12
Below is a very simplified config for my edge router.  We want one internal host to go out Carrier 1 and the other to go our Carrier 2.

The first translation for 172.20.2.4 does not work properly and users cannot access the internal host from the internet.  I can get to it from the 64.1.1.0/27 subnet though.  The translation for 172.20.2.3 DOES work properly.  This has to be an issue with thar route map and that the ourbound traffic is trying to exit from Fa0/2.  Can you please assist?

NOTE:  10.x.x.x and 159.x.x.x are subnets at a busines partner connected via 172.20.15.1
interface FastEthernet0/0
 description B2B Connection
 ip address 172.20.15.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 ip address 172.20.0.38 255.255.255.248
 ip nat inside
 ip policy route-map INTERNET_ACCESS
!
interface FastEthernet0/2
 description Carrier #2 6Mb to WWW
 ip address 64.1.1.2 255.255.255.224
 ip access-group 104 in
 ip nat outside
!
interface FastEthernet0/4
 description Carrier #1 3Mb to WWW
 ip address 206.1.1.2 255.255.255.224
 ip access-group 103 in
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 206.1.1.1
!
ip nat pool CARRIER1-POOL 206.1.1.10 206.1.1.12 netmask 255.255.255.224
ip nat pool CARRIER2-POOL 64.1.1.10 64.1.1.12 netmask 255.255.255.224
ip nat inside source route-map CARRIER2-MAP pool CARRIER2-POOL overload
ip nat inside source route-map CARRIER1-MAP pool CARRIER1-POOL overload
!
ip nat inside source static tcp 172.20.2.4 80 64.1.1.7 80 extendable
ip nat inside source static tcp 172.20.2.3 80 206.1.1.7 80 extendable
!
access-list 100 permit ip 172.20.0.0 0.0.255.255 any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 206.0.0.7 eq www
access-list 104 permit icmp any any
access-list 104 permit tcp any host 64.1.1.7 eq www
access-list 110 deny   tcp host 172.20.2.4 any eq www
access-list 110 deny   tcp any host 170.20.2.4 eq www
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 159.0.0.0 0.0.255.255
access-list 120 permit tcp host 172.20.2.4 any eq www
access-list 120 permit tcp any host 172.20.2.4 eq www
access-list 130 permit ip any 10.0.0.0 0.255.255.255
access-list 130 permit ip any 159.0.0.0 0.0.255.255
!
route-map INTERNET_ACCESS permit 10
 match ip address 110
 set ip next-hop 206.1.1.1
!
route-map INTERNET_ACCESS permit 20
 match ip address 120
 set ip next-hop 64.1.1.1
!
route-map INTERNET_ACCESS permit 30
 match ip address 130
 set ip next-hop 172.20.15.1
!
route-map CARRIER1-MAP permit 10
 match ip address 100
 match interface Fa0/4
!
route-map CARRIER2-MAP permit 10
 match ip address 100
 match interface Fa0/2

Open in new window

0
Comment
Question by:David Blair
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36892903
ACL 110 is all denies.  You need at least one permit statement.  In your case, it should just be a host (source) permit any.  The second ACL would be for the other host source address permit any.
0
 
LVL 1

Author Comment

by:David Blair
ID: 36892976
Thanks for the reply.

ACL 110 identifies traffic heading out via Carrier 1, and I thought permit statements weren't necessary due to the default route for Carrier 1.

Are you suggesting I add a permit statement for 172.20.2.3 to ACL 110?  Please help me understand the reason for that.  Again, 172.20.2.3 is working fine; it's 172.20.2.4 that's giving me the trouble.

Don't the denies just push certain traffic down to the other entries in the route map.

Thanks,
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893226
Yeah, as set in the config posted. ACL 110 is pretty much useless. The only thing you need to state in it a the traffic you want to permit. After that the implicit deny will take care of the other traffic.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 26

Expert Comment

by:Soulja
ID: 36893254
172.20.2.3 works because you permit it in ACL 100, but you explicitly deny 2.4 in acl 110. That is why 2.3 works and 2.4 doesn't
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893327
That starts to make sense...

But, if I permit 2.4 in ACL 110 won't it set next hop to 206.1.1.1 instead of 64.1.1.1?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893443
Hold on a sec, so currently. 2.3 is in fact being route mapped by which router map?
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893466
That traffic is taking the default route our carrier 1
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893813
Oh okay, so it is working because it isn't using any router-maps.

route-map INTERNET_ACCESS permit 10    servers no purpose. I would remove it.

ACL 120 doesn't need this:

access-list 120 permit tcp any host 172.20.2.4 eq www

Otherwise, I don't see why ACL 120 wouldn't catch 2.4 and route it to 64.1.1.1
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36893833
Hi,

Is 206.1.1.7 permitted for www in access-list 103?
0
 
LVL 1

Author Comment

by:David Blair
ID: 36893850
Sorry, typo there in the config.  YES, it's in there.  Just didn't fix it properly when I was cleaning the config up for EE.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36893859
Good catch rochey! Is that a typo author?
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 2000 total points
ID: 36894094

I think access-list 120 permit tcp host 172.20.2.4 any eq www is incorrect

and should read

access-list 120 permit tcp host 172.20.2.4 eq www any

since it's return traffic sourced by the web server 172.20.2.4


0
 
LVL 1

Author Closing Comment

by:David Blair
ID: 36911799
That sure was the problem.  Good eye!
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36911901
You're welcome.
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question