[c-nsp] Static NAT and route-maps
Matt Stevens
matt at elevate.org
Mon Nov 1 15:33:27 EST 2004
I have a customer with two ISP connections going into a 2600. Using NAT
and route-maps I can specify which pool gets used, based on which
outbound interface things are sent through.
My problem is with hosts given a static translation. If I give an inside
host two statics, one out of each providers address space, I can only
access the host with the static from the current primary (default
routed) provider.
Whenever I access the host via the non-primary static the return traffic
is sent out the wrong interface. Since the source address isn't correct,
the upstreams drop the traffic.
I've tried matching the traffic with route-maps on the outbound
interfaces so that I always send traffic out the proper interface based
on source address, but it doesn't seem to work.
Ideas? Config is below...
--
matt
interface Ethernet1/0
ip address 206.176.235.234 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
interface Ethernet1/1
ip address 192.168.254.1 255.255.255.0
ip nat inside
!
interface Ethernet1/2
ip address 64.7.66.245 255.255.255.248
ip nat outside
ip policy route-map right-interface
!
ip nat inside source route-map vista interface Ethernet1/0 overload
ip nat inside source route-map webpercep interface Ethernet1/2 overload
!
ip nat inside source static tcp 192.168.254.150 80 64.7.81.130 80 extendable
ip nat inside source static tcp 192.168.254.150 80 206.176.235.235 80
extendable
!
ip route 0.0.0.0 0.0.0.0 206.176.235.233 10
ip route 0.0.0.0 0.0.0.0 64.7.66.241 80
!
access-list 3 permit 64.7.66.241
access-list 4 permit 206.176.235.233
access-list 5 deny 192.168.254.150
access-list 5 deny 192.168.254.1
access-list 5 deny 192.168.254.112
access-list 5 deny 192.168.254.105
access-list 5 permit 192.168.254.0 0.0.0.255
access-list 6 permit 64.7.66.240 0.0.0.7
access-list 6 permit 64.7.81.128 0.0.0.31
access-list 7 permit 206.176.235.232 0.0.0.7
!
route-map right-interface permit 10
match ip address 6
set ip next-hop 64.7.66.241
!
route-map right-interface permit 20
match ip address 7
set ip next-hop 206.176.235.233
!
route-map webpercep permit 10
match ip address 5
match ip next-hop 3
!
route-map vista permit 10
match ip address 5
match ip next-hop 4
More information about the cisco-nsp
mailing list