[c-nsp] route-map & nat predicament

[Chris Knipe]

Hi All,

 

A bit of a tough one that I cannot seem to find a solution for.   Diagram:

 

                                  ----- ISP1

PIX --- Cisco 8345 

                                  ----- ISP2

 

Our PIX is configured with x.x.x.5, whilst the LAN side of the 3847 has
x.x.x.1.  We have static IPs from ISP1 and ISP2, with a BGP session to ISP2
but not from ISP1 (by choice, due to bandwidth constraints).  Our default
route goes out via ISP2.

 

What's happening now, is that legacy clients are configured to connect to
our Cisco PIX (IPSec VPNs) to an IP address assigned from ISP1.  I take care
of this by natting the traffic, and it is working successfully.

 

ip nat inside source static x.x.x.5 a.a.a.126

 

route-map PolicyRoutes, permit, sequence 10

  Match clauses:

    ip address (access-lists): toISP1

  Set clauses:

    ip next-hop b.b.b.b.233

  Policy routing matches: 8344989 packets, 528857596 bytes

 

Extended IP access list toISP1

    10 permit ip a.a.c.68 0.0.0.3 any (24011 matches)

    20 permit ip a.a.b.96 0.0.0.7 any (571600 matches)

    30 permit ip a.a.a.64 0.0.0.63 any (5980125 matches)

    35 permit udp host x.x.x.5 any (2119303 matches)

    40 deny ip any any (19629171 matches)

 

The problem now, is that when a user connects directly to the PIX via
x.x.x.5 instead of a.a.a.126 the return traffic is matched by the route-map,
and sent via ISP1, instead of ISP2.  Removing the route-map or amending the
access-lists, customers connecting to a.a.a.126 via ISP1, has their return
traffic sent via ISP2.

 

Is there any way that I can send connections from any to a.a.a.126 via ISP1,
and connections from any to x.x.x.5 via ISP2, whilst still keeping the NAT
in place to nat all traffic to a.a.a.126 ?

 

Hope this makes sense.

 

--
Chris.