Multi-Homing NAT

Agent6376Agent6376 Member Posts: 201
Good evening TE. I've got a client site that has three internet connections, and I'd like to utilize the different WAN links for external services. Currently, external services only work on the active ISP that holds the default route.

Default Route statements:
ip route *Active Route* 10 track 100
ip route *Backup Route* 20 track 200
ip route *Backup Route* 30

Overload statements:
ip nat inside source route-map Fa4 interface FastEthernet4 overload
ip nat inside source route-map Vlan10 interface Vlan10 overload
ip nat inside source route-map Vlan20 interface Vlan20 overload

Static Nat statement example:
ip nat inside source static tcp 80 w.x.y.z 80 route-map ALLOWTUNNEL_NUVOX extendable
ip nat inside source static tcp 80 w.x.y.x 80 route-map ALLOWTUNNEL_ATT extendable
ip nat inside source static tcp 80 w.x.y.z 80 route-map ALLOWTUNNEL_COX extendable

route-map ALLOWTUNNEL_ATT permit 10
match ip address ALLOWTUNNEL
match interface Vlan10

route-map ALLOWTUNNEL_NUVOX permit 10
match ip address ALLOWTUNNEL
match interface Vlan20

route-map ALLOWTUNNEL_COX permit 10
match ip address ALLOWTUNNEL
match interface FastEthernet4

Allowtunnel ACL:
10 deny ip host
20 deny ip host
30 permit ip host any

Alright, now to the question: Its my understanding that external access will only work on the interface that has the active default route, since even if the route maps were to route traffic back out their original interface, they would still attempt to take the default route for the active ISP and fail. I've tried policy based routing on each of the interfaces to manually set the next hop ip of the ISP default gateway, but that failed also. I've got a feeling that I'm over complicating this scenario, as I've done this in the past on Watchguard gear without any issues.

Any help would be appreciated.


  • deth1kdeth1k Member Posts: 312

    Firs of you haven't showed us all the config i.e route-maps for your NAT.
    You can do loadbalancing/policy routing just using your NAT configuration and extended access lists. For example use link number one for web access only and so on. This all depends on the requirement, however all the default routes will have to have the same admin distance otherwise they won't make it into the routing table / FIB. Although it's nice to loadbalance the traffic this setup will cause some suboptimal / asymetric routing where by your traffic will be going out of link #1 and coming back in on link #2 which will cause some application to freeze or timeout. Having multiple routers and BGP in this setup would avoid the problem i've just described.
  • mikearamamikearama Member Posts: 749
    I haven't done what you describe, but a hardware loadbalancer should also do the trick. We use ACE modules to load balance incoming web traffic... it wouldn't be difficult to create a context in an ACE and add the exit routers as your "rservers", then loadbalance across the exits.

    In thinking about it, the ACE would be perfect, as it provides a "sticky" solution that keeps a flow going throught the same router, so no loops or SYN/ACK issues occur. But as deth said, that would require a router per exit.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • Agent6376Agent6376 Member Posts: 201
    Thanks for the replies guys. Unfortunately, additional hardware is out of the picture, so from the looks of it, a failover scenario will have to stay in place. It's a shame to pay for links that never get utilized, especially when a Watchguard does it so easily.
Sign In or Register to comment.