Re: Nat expandable via two ISPs, is it possible ? - it is

From: alsontra@hotmail.com
Date: Sun Aug 15 2004 - 22:57:34 GMT-3

• Next message: alsontra@hotmail.com: "Re: DLSW+ over Frame"
• Previous message: gladston@br.ibm.com: "Re: RE: Nat expandable via two ISPs, is it possible ?"
• Next in thread: gladston@br.ibm.com: "Re: Re: Nat expandable via two ISPs, is it possible ? - it is"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Nat expandable via two ISPs, is it possible ? - it is"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>"The problem is outside->in with only one default gateway on the return
traffic."

Ming,
        I think you are correct and to get a round that issue I would try
using "outgoing" interface in your route-maps and not next_hop IP. I think
next_hop_ip, in this scenarios, is always the same. My suggestions follow:

pseudo code -

ip nat inside source route-map RMap2ISP1 (pool or interface)
ip nat inside source route-map RMap2ISP1 (pool or interface)

ip nat inside source static 10.0.7.21 64.81.36.40 extendable
ip nat inside source static 10.0.7.21 12.35.191.170 extendable

route-map RMap2ISP1 permit 10
match ip address (inside addres range)
match interface BVI190

route-map RMap2ISP2 permit 10
match ip address (inside address range)
match interface BVI46

As another member mentioned, it is important to remember that you need two
DNS servers external to your organization pointed at the two publicly
accessible address ranges.(typically your ISP) It is also important to note
that I have never done this with BVIs!!! ;-) In my previous
configurations, I have used sub-interfaces on serial and Ethernet
interfaces. It works great! If the code fragment above does not help,
perhaps we can take this offline and get more specific.

Routing TCP/IP volume II, check out pages 370-381

HTH
Alsontra

----- Original Message -----
From: "Ming Wu" <triowu@cox.net>
To: <alsontra@hotmail.com>; <ccielab@groupstudy.com>
Sent: Sunday, August 15, 2004 1:47 PM
Subject: RE: Nat expandable via two ISPs, is it possible ?

> Alsontra,
>
> Inside->out works great.
> The problem is outside->in with only one default gateway on the return
> traffic.
> 1. When the return traffic 10.0.7.21 hits BVI107 with destination
> 68.4.195.82
> 2. The packet itself does not have any information that it is initially
> sourced and NATed from BVI190.
> 3. Therefore, it passes access-list, policy routing, and selects based on
> the routing table, which is the default gateway 64.81.36.33 on BVI46 for
> outbound.
> 4. Then it hits the NAT inside to outside, which get translated back to
> 12.35.191.170 and sent out to interface BVI46, which get dropped.
>
> So, I think the only way for it to work is to NAT the source to a
> known/controlled IP such as 12.35.191.169 in addition to the destination
> NAT. Then the return traffic can be controlled via policy routing.
>
> Any comment or hint is appreciated.
>
> Ming
>
>
>
> -----Original Message-----
> From: alsontra@hotmail.com [mailto:alsontra@hotmail.com]
> Sent: Saturday, August 14, 2004 9:53 PM
> To: Ming Wu; ccielab@groupstudy.com
> Subject: Re: Nat expandable via two ISPs, is it possible ?
>
>
> Ming,
>
> If you have Routing TCP/IP volume II, check out pages 370-381. CASE
STUDY:
> ISP Multihoming with NAT. What you are trying to do is explained in
detail.
> In short, it is possible. I've configured it several times.
>
> HTH
> Alsontra
>
> ----- Original Message -----
> From: "Ming Wu" <triowu@cox.net>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, August 14, 2004 6:04 PM
> Subject: Nat expandable via two ISPs, is it possible ?
>
>
> > Goal is to have the same inside server 10.0.7.21 accessable by outside
via
> > two independent ISP IP addresses (64.81.36.40 & 12.35.191.170). Is it
> > possible via Policy routing, NAT, and Route-map? If not, any
suggesetion?
> > Thanks...
> >
> > interface BVI46 (ISP2)
> > ip address 64.81.36.34 255.255.255.224
> > ip nat outside
> > ip policy route-map RMap2ISP1
> > interface BVI190 (ISP1)
> > ip address 12.35.191.162 255.255.255.224
> > ip nat outside
> > interface BVI107
> > ip address 10.0.7.1 255.255.255.0
> > ip nat inside
> >
> > ip nat inside source static 10.0.7.21 64.81.36.40 extendable
> > ip nat inside source static 10.0.7.21 12.35.191.170 extendable
> >
> > ip route 0.0.0.0 0.0.0.0 64.81.36.33
> >
> > route-map RMap2ISP1 permit 10
> > match ip address ToISP1
> > set ip next-hop 12.35.191.161
> >
> > ip access-list extended ToISP1
> > deny ip any 10.0.0.0 0.255.255.255
> > deny ip any 192.168.0.0 0.0.255.255
> > permit ip 12.35.191.160 0.0.0.31 any
> >
> > NAT: o: icmp (68.4.195.82, 512) -> (12.35.191.170, 512) [12145]
> > NAT: s=68.4.195.82, d=12.35.191.170->10.0.7.21 [12145]
> > IP: s=68.4.195.82 (BVI190), d=10.0.7.21 (BVI107), g=10.0.7.21, len 60,
> > forward
> > NAT: i: icmp (10.0.7.21, 512) -> (68.4.195.82, 512) [25288]
> > NAT: s=10.0.7.21->12.35.191.170, d=68.4.195.82 [25288]
> > IP: s=12.35.191.170 (BVI107), d=68.4.195.82 (BVI46), g=64.81.46.33***,
len
> > 60, forward
> >
> > *** The gateway should have been 12.35.191.161, but...
> >
> > Any help (may be using loopback interface) is appreciated...
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: alsontra@hotmail.com: "Re: DLSW+ over Frame"
• Previous message: gladston@br.ibm.com: "Re: RE: Nat expandable via two ISPs, is it possible ?"
• Next in thread: gladston@br.ibm.com: "Re: Re: Nat expandable via two ISPs, is it possible ? - it is"
• Maybe reply: gladston@br.ibm.com: "Re: Re: Nat expandable via two ISPs, is it possible ? - it is"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:44 GMT-3