From: Ming Wu (triowu@cox.net)
Date: Sun Aug 15 2004 - 17:47:20 GMT-3
Alsontra,
Inside->out works great.
The problem is outside->in with only one default gateway on the return
traffic.
1. When the return traffic 10.0.7.21 hits BVI107 with destination
68.4.195.82
2. The packet itself does not have any information that it is initially
sourced and NATed from BVI190.
3. Therefore, it passes access-list, policy routing, and selects based on
the routing table, which is the default gateway 64.81.36.33 on BVI46 for
outbound.
4. Then it hits the NAT inside to outside, which get translated back to
12.35.191.170 and sent out to interface BVI46, which get dropped.
So, I think the only way for it to work is to NAT the source to a
known/controlled IP such as 12.35.191.169 in addition to the destination
NAT. Then the return traffic can be controlled via policy routing.
Any comment or hint is appreciated.
Ming
-----Original Message-----
From: alsontra@hotmail.com [mailto:alsontra@hotmail.com]
Sent: Saturday, August 14, 2004 9:53 PM
To: Ming Wu; ccielab@groupstudy.com
Subject: Re: Nat expandable via two ISPs, is it possible ?
Ming,
If you have Routing TCP/IP volume II, check out pages 370-381. CASE STUDY:
ISP Multihoming with NAT. What you are trying to do is explained in detail.
In short, it is possible. I've configured it several times.
HTH
Alsontra
----- Original Message -----
From: "Ming Wu" <triowu@cox.net>
To: <ccielab@groupstudy.com>
Sent: Saturday, August 14, 2004 6:04 PM
Subject: Nat expandable via two ISPs, is it possible ?
> Goal is to have the same inside server 10.0.7.21 accessable by outside via
> two independent ISP IP addresses (64.81.36.40 & 12.35.191.170). Is it
> possible via Policy routing, NAT, and Route-map? If not, any suggesetion?
> Thanks...
>
> interface BVI46 (ISP2)
> ip address 64.81.36.34 255.255.255.224
> ip nat outside
> ip policy route-map RMap2ISP1
> interface BVI190 (ISP1)
> ip address 12.35.191.162 255.255.255.224
> ip nat outside
> interface BVI107
> ip address 10.0.7.1 255.255.255.0
> ip nat inside
>
> ip nat inside source static 10.0.7.21 64.81.36.40 extendable
> ip nat inside source static 10.0.7.21 12.35.191.170 extendable
>
> ip route 0.0.0.0 0.0.0.0 64.81.36.33
>
> route-map RMap2ISP1 permit 10
> match ip address ToISP1
> set ip next-hop 12.35.191.161
>
> ip access-list extended ToISP1
> deny ip any 10.0.0.0 0.255.255.255
> deny ip any 192.168.0.0 0.0.255.255
> permit ip 12.35.191.160 0.0.0.31 any
>
> NAT: o: icmp (68.4.195.82, 512) -> (12.35.191.170, 512) [12145]
> NAT: s=68.4.195.82, d=12.35.191.170->10.0.7.21 [12145]
> IP: s=68.4.195.82 (BVI190), d=10.0.7.21 (BVI107), g=10.0.7.21, len 60,
> forward
> NAT: i: icmp (10.0.7.21, 512) -> (68.4.195.82, 512) [25288]
> NAT: s=10.0.7.21->12.35.191.170, d=68.4.195.82 [25288]
> IP: s=12.35.191.170 (BVI107), d=68.4.195.82 (BVI46), g=64.81.46.33***, len
> 60, forward
>
> *** The gateway should have been 12.35.191.161, but...
>
> Any help (may be using loopback interface) is appreciated...
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:44 GMT-3