[c-nsp] Static NAT and route-maps

Brian Feeny signal at shreve.net
Mon Nov 1 22:03:07 EST 2004


Allow me to make some suggestions:

First, make sure you local policy route the ip you wish to manage the 
router with, otherwise
you may not be able to reach the router when you need to:

match ip address 103
ip local policy route-map local
route-map local permit 10
  match ip address 103
  set interface Serial0


PBR is done on the "inside" interface.  You are putting it on the 
outside interface.
You want to put it on the INSIDE interface and match against the IP 
address BEFORE
it gets translated by NAT.

Definitely make sure CEF is turned on.


Brian


On Nov 1, 2004, at 2:33 PM, Matt Stevens wrote:

> I have a customer with two ISP connections going into a 2600. Using 
> NAT and route-maps I can specify which pool gets used, based on which 
> outbound interface things are sent through.
>
> My problem is with hosts given a static translation. If I give an 
> inside host two statics, one out of each providers address space, I 
> can only access the host with the static from the current primary 
> (default routed) provider.
>
> Whenever I access the host via the non-primary static the return 
> traffic is sent out the wrong interface. Since the source address 
> isn't correct, the upstreams drop the traffic.
>
> I've tried matching the traffic with route-maps on the outbound 
> interfaces so that I always send traffic out the proper interface 
> based on source address, but it doesn't seem to work.
>
> Ideas? Config is below...
> --
> matt
>
>
> interface Ethernet1/0
>  ip address 206.176.235.234 255.255.255.248
>  ip nat outside
>  ip policy route-map right-interface
> !
> interface Ethernet1/1
>  ip address 192.168.254.1 255.255.255.0
>  ip nat inside
> !
> interface Ethernet1/2
>  ip address 64.7.66.245 255.255.255.248
>  ip nat outside
>  ip policy route-map right-interface
> !
> ip nat inside source route-map vista interface Ethernet1/0 overload
> ip nat inside source route-map webpercep interface Ethernet1/2 overload
> !
> ip nat inside source static tcp 192.168.254.150 80 64.7.81.130 80 
> extendable
> ip nat inside source static tcp 192.168.254.150 80 206.176.235.235 80 
> extendable
> !
> ip route 0.0.0.0 0.0.0.0 206.176.235.233 10
> ip route 0.0.0.0 0.0.0.0 64.7.66.241 80
> !
> access-list 3 permit 64.7.66.241
> access-list 4 permit 206.176.235.233
> access-list 5 deny   192.168.254.150
> access-list 5 deny   192.168.254.1
> access-list 5 deny   192.168.254.112
> access-list 5 deny   192.168.254.105
> access-list 5 permit 192.168.254.0 0.0.0.255
> access-list 6 permit 64.7.66.240 0.0.0.7
> access-list 6 permit 64.7.81.128 0.0.0.31
> access-list 7 permit 206.176.235.232 0.0.0.7
> !
> route-map right-interface permit 10
>  match ip address 6
>  set ip next-hop 64.7.66.241
> !
> route-map right-interface permit 20
>  match ip address 7
>  set ip next-hop 206.176.235.233
> !
> route-map webpercep permit 10
>  match ip address 5
>  match ip next-hop 3
> !
> route-map vista permit 10
>  match ip address 5
>  match ip next-hop 4
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041101/d9398e3f/PGP.bin


More information about the cisco-nsp mailing list