[c-nsp] PBR + NAT - multihoming efficiently?

Rolf Mendelsohn rolf-web at cyberops.biz
Mon May 9 04:48:00 EDT 2005 

Hi Guys,

I have a Cisco SOHO91, doing multi-homing via NAT on it's E0 (4 port switch) 
interface to 2 different providers.

Provider 1 is using fiber wheras provider2 is on a Satellite link. Pls have a 
look through and give me some hints on how to improve this config.

My main problem at the moment is that due to the fact that my uplink is a 
serial and not Ethernet interface, NAT doesn't 'realise' the interface is 
down. All the route-maps are set-default - so more specific routes should 
apply.

i.e. redundancy isn't working :>(.

Also the order in which 'ip nat inside XYZ' statements are processed would be 
very useful to know - alphabetical, the order in the config, etc. etc.

I see Cisco has a great page describing the various 'order of operations' NAT 
uses In --> Out and Out --> In.

Perhaps I just need a ip local policy - since all NAT traffic is 'originated' 
from the router, this also make it much simpler to choose source?

no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname or1.lda1.ao
!
boot system flash soho91-k9oy6-mz.123-2.XC2.bin
boot system flash
logging buffered 65535 debugging

<snip>

aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip cef
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
!
interface Ethernet0
 description WAN link to provider2(PPPoE) + provider1
 ip address X.Y.16.107 255.255.255.224
 no ip redirects
 no ip proxy-arp
 ip nat outside
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1
 description Internal LAN link
 ip address 192.168.0.3 255.255.255.0
 ip access-group protect-acdc out
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip tcp adjust-mss 1452
 ip policy route-map choose-exit
 duplex auto
 no cdp enable
!
interface Dialer1
 description PPPoE Dialer interface for provider2
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username martin.boese at provider2.ao password 7 06021A25491E594E
!
ip nat translation timeout 3600

<NAT Order of statement operation???>

ip nat inside source route-map nat-multi interface Ethernet0 overload
ip nat inside source route-map nat-provider2 interface Dialer1 overload

?

ip nat inside source static tcp 192.168.0.1 25 A.B.201.9 25 extendable
ip nat inside source static tcp 192.168.0.1 110 A.B.201.9 110 extendable
ip nat inside source static tcp 192.168.0.1 80 A.B.201.9 80 extendable
ip nat inside source static tcp 192.168.0.1 445 A.B.201.9 445 extendable
ip nat inside source static tcp 192.168.0.1 22 A.B.201.9 22 extendable
ip nat inside source static tcp 192.168.0.1 21 A.B.201.9 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 X.Y.16.97
ip route 0.0.0.0 0.0.0.0 Dialer1 100
ip route 10.0.0.0 255.255.255.0 Ethernet0
ip route X.Y.16.0 255.255.254.0 X.Y.16.97
ip route X.Y.23.0 255.255.255.0 X.Y.16.97
ip route A.B.192.0 255.255.240.0 Dialer1
ip route 217.21.81.0 255.255.255.0 X.Y.16.97
no ip http server
no ip http secure-server
!
!
ip access-list extended provider2
 permit ip any host X.Y.16.97
ip access-list extended prefered-prot
 permit tcp any any eq 22
 permit tcp any any eq telnet
 deny   icmp host 192.168.0.1 any
 permit icmp any any
 permit tcp any any eq whois
 permit tcp any any eq domain
 permit udp any any eq domain
 permit udp any any eq ntp
ip access-list extended protect-acdc
 permit tcp any any established
 permit icmp any any
 permit tcp any host 192.168.0.1 eq smtp
 permit tcp any host 192.168.0.1 eq pop3
 permit tcp any host 192.168.0.1 eq 22
 permit tcp any host 192.168.0.1 eq ftp
 permit udp any host 192.168.0.1 eq domain
 permit udp any host 192.168.0.1 eq syslog
 permit tcp any host 192.168.0.1 eq www
 permit tcp any host 192.168.0.1 eq 443
 permit udp any host 192.168.0.1 gt 1023
 deny   ip any host 192.168.0.1
 permit ip any any
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 50 permit 192.168.0.75
access-list 50 permit 192.168.0.68
access-list 50 permit 192.168.0.71
access-list 50 permit 192.168.0.88
access-list 60 remark ACL for VTY
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 60 permit X.Y.16.0 0.0.1.255
access-list 60 permit X.Y.23.0 0.0.0.255
access-list 60 permit A.B.201.0 0.0.0.255
access-list 110 remark Internal to provider1
access-list 110 permit ip 192.168.0.0 0.0.255.255 X.Y.16.0 0.0.1.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 X.Y.23.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 217.21.81.0 0.0.0.255
access-list 150 permit ip host 192.168.0.75 any
access-list 150 permit ip host 192.168.0.68 any
access-list 150 permit ip host 192.168.0.71 any
access-list 150 permit ip host 192.168.0.88 any
no cdp run
route-map nat-provider2 deny 10
 description Match provider1 destinations and Dont NAT
 match ip address 110
!
route-map nat-provider2 permit 20
 description Match ALL and NAT
 match ip address 10
!
route-map choose-exit permit 10
 description Route Sysadmin IP's to provider1
 match ip address 50
 set default interface Ethernet0
!
route-map choose-exit permit 20
 description Match Prefered Protocols and NAT to provider1
 match ip address prefer-prot
 set default interface Ethernet0
!
route-map choose-exit permit 30
 description Match Everyone and Route to provider2
 match ip address 10
 set default interface Dialer1
!
route-map nat-multi deny 10
 description Match provider2 destinations and don't NAT
 match ip address provider2
!
route-map nat-multi permit 20
 description Match Sysadmin IP's and NAT to provider1
 match ip address 150
!
route-map nat-multi permit 30
 description Match Prefered Protocols and NAT to provider1
 match ip address prefered-prot
!
route-map nat-multi permit 40
 description Match provider1 Destinations and NAT Everyone to provider1
 match ip address 110
!
banner login ^C
Authorized access only.
Disconnect IMMEDIATELY if you are not an authorized user!
contact noc at cyberops.biz +244 (912) 221181, (923) 524981 for help
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 30 0
 transport preferred none
 transport input telnet ssh
 transport output none
!
scheduler max-task-time 5000
!
end

cheers
/rolf

-- 
Rolf Mendelsohn
Internet Technologies Holdings
Angolan Cell:  +244-92-3524981
Angolan Office: +244-2-356110
Namibian Office: +264-61-375484

More information about the cisco-nsp mailing list