Dual NAT Overload

iproute · September 2007

Howdy all. I have a fairly simple problem with likely a simple answer. I've noticed that the 2611XM I'm working with won't readily accept a double NAT overload configuration. In short, I have two NAT outside links on which I'd like to do NAT overload (PAT). However, IOS seems to want to clear the previous NAT overload statement prior to accepting the second one. Is this a limitation or am I simply taking the wrong approach?

Basically I want to do the following: Two NAT outside links which I'd like to direct some traffic over one with the remainder of the traffic traversing the other.

Thanks in advance.

dtlokee · September 2007

Are you using the same access-list to determine what is allowed to be translated? This would confuse the router and it won't allow it. You may want to look into identity nat which uses a route map to control the nat process.

iproute · September 2007

dtlokee wrote:

Are you using the same access-list to determine what is allowed to be translated? This would confuse the router and it won't allow it. You may want to look into identity nat which uses a route map to control the nat process.

Yes, I am attempting to use the same ACL. I'll take a look at the alternatives. Thanks for the feedback

tech-airman · September 2007

iproute wrote:

Howdy all. I have a fairly simple problem with likely a simple answer. I've noticed that the 2611XM I'm working with won't readily accept a double NAT overload configuration. In short, I have two NAT outside links on which I'd like to do NAT overload (PAT). However, IOS seems to want to clear the previous NAT overload statement prior to accepting the second one. Is this a limitation or am I simply taking the wrong approach?

Basically I want to do the following: Two NAT outside links which I'd like to direct some traffic over one with the remainder of the traffic traversing the other.

Thanks in advance.

iproute,

What is the purpose of the two inside global IP addresses?

iproute · September 2007

tech-airman wrote:

iproute wrote:

Howdy all. I have a fairly simple problem with likely a simple answer. I've noticed that the 2611XM I'm working with won't readily accept a double NAT overload configuration. In short, I have two NAT outside links on which I'd like to do NAT overload (PAT). However, IOS seems to want to clear the previous NAT overload statement prior to accepting the second one. Is this a limitation or am I simply taking the wrong approach?

Basically I want to do the following: Two NAT outside links which I'd like to direct some traffic over one with the remainder of the traffic traversing the other.

Thanks in advance.

iproute,

What is the purpose of the two inside global IP addresses?

Long story short, one IP address is dynamic and one is static (the provider of the dynamic wasn't able to provide us with a static for that connection). We use various services that only allow traffic from IP addresses that we specify. Since the dynamic address (which is the main Internet connection) changes from time to time, we need to route traffic for these services over the much slower link that is associated with a static IP address.

iproute · September 2007

As for configs, this is basically it:

Interface Configs
FA0/0 - ip nat inside
FA0/1 - ip nat outside (Dynamic IP Link)
S0/0 - ip nat outside (Static IP Link)

NAT Configs
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 2 interface Serial0/0 overload

ACLs
1: permit 10.10.0.0, wildcard bits 0.0.255.255
2: permit 10.10.0.0, wildcard bits 0.0.255.255

Static Route for Testing
4.2.2.2 [1/0] via 8.8.8.8

Results
I can get out (ping) 4.2.2.2 via the router but the workstation hangs.

A sh ip nat tra | inc workstation_ip shows that the router is trying to do NAT, but it's showing the inside global address of the dynamic IP link instead of the static. I'm going to take a stab as to why and say that it may be because the two ACLs for the two NAT statements use the same block of inside local IP addresses, this could be causing some confusion.

iproute · September 2007

dtlokee wrote:

You may want to look into identity nat which uses a route map to control the nat process.

I'm mildly familiar with route maps but have not heard of "identity nat" until you mentioned it. I'm trying to find some documentation via Google to assist, but not having much luck.

dtlokee · September 2007

Are both of the Internet connections to the same ISP? You may have some issues providing static routes based on the two connections you have. Since your FastEthernet connection is dynamic, how are you creating a default route to the provider?

here is an example of using route map with nat

ip nat inside source route-map FastEthernet interface FastEthernet0/1
!
ip nat inside source route-map Serial interafce serial0/0
!
access-list 1 permit 10.10.0.0 0.0.255.255
!
route-map FastEthernet permit 10
 match interface FastEthernet0/1
 match ip address 1
!
route-map ISP2_MAP permit 10
 Match interface Serial0/0 
 Match ip address 1
!

iproute · September 2007

dtlokee wrote:
Are both of the Internet connections to the same ISP? You may have some issues providing static routes based on the two connections you have. Since your FastEthernet connection is dynamic, how are you creating a default route to the provider?

here is an example of using route map with nat
ip nat inside source route-map FastEthernet interface FastEthernet0/1
!
ip nat inside source route-map Serial interafce serial0/0
!
access-list 1 permit 10.10.0.0 0.0.255.255
!
route-map FastEthernet permit 10
 match interface FastEthernet0/1
 match ip address 1
!
route-map ISP2_MAP permit 10
 Match interface Serial0/0 
 Match ip address 1
!

Thanks for the response dtlokee. The two Internet connections are from two different ISPs (one being a DSL line and the other being a T1). For the DSL (the default route), we were provided with a device they call a DSL modem (which is actually a DSL bridge, a router, and a switch in one). This device is configured to obtain all of its WAN IP information automatically from the provider. We then set this "DSL Modem" as the default route on the router and perform NAT on the interface.

I'll look into trying your route map with NAT example. Thanks.

rossonieri#1 · September 2007

iproute wrote:

Results
I can get out (ping) 4.2.2.2 via the router but the workstation hangs.

hi iproute,

what exactly does it mean hangs? like RTO or something?

i've used almost the same config as you are at home - but no problem so far.
1 using static ADSL line and the other is cable. default route using cable, doing NAT-overload in both interfaces, and make a telnet connection to remote-sites using the ADSL line with basic ip route.

hmmm... try to pass all connection in the ACL --> permit any - lets see how it works.

HTH.

Cheers.

iproute · September 2007

rossonieri#1 wrote:

what exactly does it mean hangs? like RTO or something?

Sorry for the lack of clarity. The workstation can not access networks which have been routed over the secondary Internet link (T1). I've tested with ping and http. With http, a white page is displayed until it errors out. With ping "request timed out."

iproute · September 2007

rossonieri#1 wrote:

hmmm... try to pass all connection in the ACL --> permit any - lets see how it works.

This configuration results in the same behavior.

(config)#do show access-list 2
Standard IP access list 2
    10 permit any

dtlokee · September 2007

The problem may be that when it translates the addresses it is using the ip address provided by ISP 1 but sending it on the link to ISP 2, which sees this as a spoofed source address (since it's not in their address block) and drops it. That is why I suggested using a route map to determine what IP address to translate to based upon the exit interface.

iproute · September 2007

dtlokee wrote:

The problem may be that when it translates the addresses it is using the ip address provided by ISP 1 but sending it on the link to ISP 2, which sees this as a spoofed source address (since it's not in their address block) and drops it. That is why I suggested using a route map to determine what IP address to translate to based upon the exit interface.

Well dtlokee, I owe you a thanks. I fumbled around a little bit as I stumbled into new waters, causing some very brief Internet disconnectivity, but after all is said and done it seems to work just fine! My NAT translation table shows translations occurring on both links and I can ping/trace my test 4.2.2.2 address. Many thanks to you!

dtlokee · September 2007

I love it when a plan comes together!

rossonieri#1 · September 2007

iproute wrote:
rossonieri#1 wrote:

hmmm... try to pass all connection in the ACL --> permit any - lets see how it works.

This configuration results in the same behavior.
(config)#do show access-list 2
Standard IP access list 2
    10 permit any

hmmm...

in my config i just did an ip route somewhere via this interface - not via this ip,
not a very complicated thing to be done.

just my opinion.

but - i see it has worked for you now - good then.

cheers..

iproute · September 2007

rossonieri#1 wrote:
iproute wrote:
rossonieri#1 wrote:

hmmm... try to pass all connection in the ACL --> permit any - lets see how it works.

This configuration results in the same behavior.
(config)#do show access-list 2
Standard IP access list 2
    10 permit any
hmmm...

in my config i just did an ip route somewhere via this interface - not via this ip,
not a very complicated thing to be done.

just my opinion.

but - i see it has worked for you now - good then.

cheers..

Your right, that may have helped too. The router may have been attempting to route packets to link 1's first hop via link 2. Specifying the interface in the IP route may have helped that. I'd test it but don't want to cause an outage just to validate an idea. Thanks for the feedback.

Dual NAT Overload

Comments