[c-nsp] Static NAT and route-maps

Matt Stevens matt at elevate.org
Mon Nov 1 15:33:27 EST 2004 

I have a customer with two ISP connections going into a 2600. Using NAT 
and route-maps I can specify which pool gets used, based on which 
outbound interface things are sent through.

My problem is with hosts given a static translation. If I give an inside 
host two statics, one out of each providers address space, I can only 
access the host with the static from the current primary (default 
routed) provider.

Whenever I access the host via the non-primary static the return traffic 
is sent out the wrong interface. Since the source address isn't correct, 
the upstreams drop the traffic.

I've tried matching the traffic with route-maps on the outbound 
interfaces so that I always send traffic out the proper interface based 
on source address, but it doesn't seem to work.

Ideas? Config is below...
--
matt


interface Ethernet1/0
  ip address 206.176.235.234 255.255.255.248
  ip nat outside
  ip policy route-map right-interface
!
interface Ethernet1/1
  ip address 192.168.254.1 255.255.255.0
  ip nat inside
!
interface Ethernet1/2
  ip address 64.7.66.245 255.255.255.248
  ip nat outside
  ip policy route-map right-interface
!
ip nat inside source route-map vista interface Ethernet1/0 overload
ip nat inside source route-map webpercep interface Ethernet1/2 overload
!
ip nat inside source static tcp 192.168.254.150 80 64.7.81.130 80 extendable
ip nat inside source static tcp 192.168.254.150 80 206.176.235.235 80 
extendable
!
ip route 0.0.0.0 0.0.0.0 206.176.235.233 10
ip route 0.0.0.0 0.0.0.0 64.7.66.241 80
!
access-list 3 permit 64.7.66.241
access-list 4 permit 206.176.235.233
access-list 5 deny   192.168.254.150
access-list 5 deny   192.168.254.1
access-list 5 deny   192.168.254.112
access-list 5 deny   192.168.254.105
access-list 5 permit 192.168.254.0 0.0.0.255
access-list 6 permit 64.7.66.240 0.0.0.7
access-list 6 permit 64.7.81.128 0.0.0.31
access-list 7 permit 206.176.235.232 0.0.0.7
!
route-map right-interface permit 10
  match ip address 6
  set ip next-hop 64.7.66.241
!
route-map right-interface permit 20
  match ip address 7
  set ip next-hop 206.176.235.233
!
route-map webpercep permit 10
  match ip address 5
  match ip next-hop 3
!
route-map vista permit 10
  match ip address 5
  match ip next-hop 4

More information about the cisco-nsp mailing list