RE: conditional NAT

From: Geert Nijs (geert.nijs@simac.be)
Date: Fri Jan 07 2005 - 11:03:28 GMT-3

Hi,

Good news: what you need is conditional policy based routing :-)
So, load up the latest IOS release, and unleash the power of IOS !:

Using SAA, track an ip address on the other side of each ISP connection
(other side of the point-to-point
connection is great)

rtr 1
type echo protocol ipIcmpEcho Y.Y.Y.Y (default router other side ISP1)
rtr schedule 1 start-time now life forever

track 123 rtr 1 reachability

rtr 2
type echo protocol ipIcmpEcho X.X.X.X (default router other side ISP2)
rtr schedule 2 start-time now life forever

track 321 rtr 2 reachability

Then take your policy-based routing config and change to:

route-map salidaeth permit 10
 match ip address 101
 set ip next hop verify-availability X.X.X.X 10 track 321
 set ip next hop verify-availability Y.Y.Y.Y 20 track 123
!

route-map salidaeth permit 20
 match ip address 102
 set ip next hop verify-availability Y.Y.Y.Y 20 track 123
 set ip next hop verify-availability X.X.X.X 10 track 321

Maybe you need to experiment a bit with the ip adresses you track, but
you should be able to get
it working with this. No need for a special NAT config.

Regards,
Geert
CCIE #13729

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
fferrer10@vodafone.es
Sent: vrijdag 7 januari 2005 12:06
To: Matt Mullen; ccielab@groupstudy.com
Subject: Re: conditional NAT

Matt:

Firstly, thank you very much for the info.

The sample you provided is good if you aren't using DIALER interfaces to
control the internet access (ADSL on mi case, as i have said on my
previous mail).

Our provider uses some way of ppp over atm on these adsl, and the
tipical config at the adsl router is like this one:

interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1

interface Dialer1
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname PA281XI1
 ppp chap password 7 032B032A2C5C157E7A

As you can suppose, the problem i have is that a DIALER interfaz is
always UP/UP (spoofing), no matters how the access line (adsl) is up or
down. Then, if one of the 2 adsl i have to go out fails, i can't access
to internet via the another one.

I have tried to configure this adsl with a virtual-template interface,
instead the dialer interface, but i can't achieve that the remote end
gives me the ip public address to work with this config...

Have anyone seen a problem like this and knows a solution?

Regards

----- Mensaje Original -----
De: Matt Mullen <mullenm@gmail.com>
Fecha: Martes, Enero 4, 2005 10:17 pm
Asunto: Re: conditional NAT

> Hi,
>
> Here is a configuration that will allow traffic to be port address
> translated to the public IP address on the interface which the traffic
> is leaving. The key is the 'match interface' command on the
> route-map which causes the traffic to be translated based on the
> interface that it is passing through. If one interface goes
> down,
> traffic will always leave the other one that is up and will be
> translated to the public IP of that interface.
>
> interface Serial0
> Description ISP-A
> ip address 88.88.88.88 255.255.255.252
> ip nat outside
>
> interface Serial1
> Description ISP-B
> ip address 99.99.99.99 255.255.255.252
> ip nat outside
>
> interface Ethernet0
> Description Inside
> ip address 10.1.1.1 255.255.255.0
>
> ip nat inside source route-map ISP-A interface Serial0 overload
> ip nat inside source route-map ISP-B interface Serial1 overload
>
> route-map ISP-A permit 10
> match interface Serial0
> match access-group 100
>
> route-map ISP-B permit 10
> match interface Serial1
> match access-group 100
>
> access-list 100 permit ip 10.1.1.0 0.0.0.255 any
>
>
> HTH,
> Matt
>
>
>
>
> On Tue, 04 Jan 2005 19:44:59 +0100, fferrer10@vodafone.es
> <fferrer10@vodafone.es> wrote:
> > Hi group:
> >
> > Anyone knows a way to configure some form of "conditional natting"?
> > This is, i have 1 router with 2 adsl interfaces to connect to
> internet,> and i want to load balance the traffic using both the
> interfaces...then> i thought: well, maybe using policy based
> routing i could redirect a
> > group of internal subnets to one interface and the another group
> to the
> > other configuring a route-map like this one:
> >
> > route-map salidaeth permit 10
> > match ip address 101
> > set default interface atm0/0 atm0/1
> > !
> > route-map salidaeth permit 20
> > description toINTERNET
> > match ip address 102
> > set default interface atm0/1 atm0/0
> >
> > Where 101, 102 are ACL matching the subnets i said...
> >
> > However, this router must also do the natting, and i only have
> the 2
> > public ip addresses of the adsl interfaces to use, and i must assure
> > that if one adsl interface goes down, all the traffic use the
> other adsl
> > interface to go to internet. Also i can't use BGP on this router.
> >
> > Then, i'm wondering if there is any way to nat the subnets
> matching 101
> > acl to the ip of atm0/0 if this atm0/0 is up, and to nat them to
> the ip
> > of the atm0/1 if that it is down (and similarly with the other
> group of
> > subnets).
> >
> > Regards
> >
> >
>

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:19 GMT-3