Dual ISP NAT - Route Specific Network

Hi,

 

I have got one LAN behind NAT and two ISP connections. I want to route five prefixes through the First-ISP and the rest traffic through the Second-ISP. I tried configuring route-maps but still unsuccessful. Please view the config below. Help would be appreciated.

 

interface GigabitEthernet0/0

no ip address

ip flow ingress

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/0.10

description LAN

encapsulation dot1Q 10

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip virtual-reassembly in

ip verify unicast reverse-path

no cdp enable

ip policy route-map 1

!

interface GigabitEthernet0/1

description First-ISP

ip address 1.1.1.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled

!

interface GigabitEthernet0/2

description Second-ISP

ip address 9.9.9.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat enable

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no lldp transmit

no lldp receive

no cdp enable

no mop enabled

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat source list 1 interface GigabitEthernet0/1 overload

ip nat source list 1 interface GigabitEthernet0/2 overload

 

 

ip route 0.0.0.0 0.0.0.0 1.1.1.1

ip route 0.0.0.0 0.0.0.0 9.9.9.1

 

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

ip access-list extended external

permit ip any any

 

ip access-list extended internal

permit ip any 1.1.1.0 0.0.0.255

permit ip any 2.2.2.0 0.0.0.255

permit ip any 3.3.3.0 0.0.0.255

permit ip any 4.4.4.0 0.0.0.255

permit ip any 5.5.5.0 0.0.0.255

 

!

route-map 1 permit 10

match ip address internal

set ip next-hop 1.1.1.1

!

route-map 1 permit 20

match ip address external

set ip next-hop 9.9.9.1

!

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255
Mustafa ChapalCEOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
What you configured is PBR, its purpose is to route traffic according to source of traffic. According to your ACL for NAT all addresses that are source of traffic are 192.168.0.0/24.

What you need to do is to create additional routes in routing table (and you don't want to have 2 equal cost default routes in routing table). This is only needed if you should not use PBR.
no ip route 0.0.0.0 0.0.0.0 1.1.1.1
! next one is a little bit weird, but it is consistent with above configuration...
ip route 1.1.1.0 255.255.255.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 1.1.1.1
ip route 3.3.3.0 255.255.255.0 1.1.1.1
ip route 4.4.4.0 255.255.255.0 1.1.1.1
ip route 5.5.5.0 255.255.255.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 9.9.9.1
!
interface gi0/.10
no ip policy route-map 1

Open in new window


Needed in any case:
Typically, if you are using 2 different interfaces for outgoing natted traffic instead of using simple ACL in nat statement there should be configure route-maps that will match source IP address and outgoing interface.

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
route-map NAT1 permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map NAT2 permit 10
match ip address 100
match interface GigabitEthernet0/2
!
ip nat source list NAT1 interface GigabitEthernet0/1 overload
ip nat source list NAT2 interface GigabitEthernet0/2 overload

Open in new window


If what you are trying to achieve is PBR - you need to correct your ACL (write 2 different ACLs for source traffic for each interface) for NAT and correct natting (route-map) statements (also, still you should not have 2 equal cost default route present).
Something like:
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT1 permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map NAT2 permit 10
match ip address 150
match interface GigabitEthernet0/2
!
ip nat source list NAT1 interface GigabitEthernet0/1 overload
ip nat source list NAT2 interface GigabitEthernet0/2 overload

Open in new window


And statements for ACL has wrong direction for PBR (not any and then address, but address and then any - the first is the source, the second one is destination - That's why I am not sure what you are trying to achieve (in combination with ACL 1) :) :
ip access-list extended internal
permit ip 1.1.1.0 0.0.0.255 any
permit ip 2.2.2.0 0.0.0.255 any
permit ip 3.3.3.0 0.0.0.255 any
permit ip 4.4.4.0 0.0.0.255 any
permit ip 5.5.5.0 0.0.0.255 any

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mustafa ChapalCEOAuthor Commented:
Hi Predrag,

Basically my aim was to route specific networks through the First-ISP and the remaining traffic through the Second-ISP and your first advice helped me fix that issue.

Also please help me understand the difference between PBR and how can I make use of it in this situation.

interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.10
description LAN
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
no cdp enable
!
interface GigabitEthernet0/1
description First-ISP
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description Second-ISP
ip address 9.9.9.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source route-map 1 interface GigabitEthernet0/1 overload
ip nat source route-map 2 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 9.9.9.1
ip route 1.1.1.0 255.255.255.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 1.1.1.1
ip route 3.3.3.0 255.255.255.0 1.1.1.1
ip route 4.4.4.0 255.255.255.0 1.1.1.1
ip route 5.5.5.0 255.255.255.0 1.1.1.1

ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended external
permit ip any any

ip access-list extended internal
permit ip 1.1.1.0 0.0.0.255 any
permit ip 2.2.2.0 0.0.0.255 any
permit ip 3.3.3.0 0.0.0.255 any
permit ip 4.4.4.0 0.0.0.255 any
permit ip 5.5.5.0 0.0.0.255 any
!
route-map 1 permit 10
match ip address 1
set interface GigabitEthernet0/1
!
route-map 2 permit 10
match ip address 1
set interface GigabitEthernet0/2
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
JustInCaseCommented:
Normal routing is done by comparing destination IP address to routes available in routing table. router is always using the most specific routing to forward traffic.
PBR is used for redirecting traffic according to some criteria that cannot be used for routing (e.g packet size, source IP address, etc).  Have in mind that PBR is "more expensive" than normal routing (more resources are needed than for normal routing).

If you want to send traffic to some specific location through specific interface (ISP) you don't need PBR for that, just configure normal routing for it (create more specific routes for those destination in routing table). PBR would be used, if for example, you want to route traffic according to source IP address.

Now ACLs internal and external as far as I can see are not needed and should be deleted.
no ip access-list extended external
no ip access-list extended internal

Open in new window

I am glad that problem is resolved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.