[c-nsp] NAT outside-to-inside from a dynamic ip address

Bob Tinkelman bob at tink.com
Thu Apr 5 10:24:31 EDT 2007 

I have a customer-site router with two upstream links,
a T1 and a Verizon FIOS port.

This is similar to a configuration I described in a prior
posting.  The primary upstream link is the T1.  There is
a "backup" tunnel configured over the FIOS link.  The
router is configured to policy-route certain traffic out
via the FOIS link natively (not via the tunnel).

In support of the last part, we have "nat inside" on
the customer's LAN interface Fa0/0 and "nat outside" on
the Dialer1 interface associated with the FIOS link:

   interface Fa0/0
    description Customer LAN    
    ip address ...
    ip nat inside
  ...
  interface Fa0/1
    description Verizon FIOS
    ...
    pppoe-enable
    ...
  interface Dialer1
    ip address negotiated
    ip nat outside
    ...
    ppp pap sent-username ...



I have a minor annoyance related to some packets that
arrive at the router over the Dialer interface, including
pings or traceroutes to the dynamic-assigned ip address.

The responses to these are packets carrying, as a source
address, the Dialer1 dynamically assigned ip address.
These packets are generally routed out the customer's T1
where they are dropped, due to having an invalid source
address.


I've thought about several different approaches and would
appreciate anyone's thoughts:

1.  Possibly NAT (outside-to-inside) could be used to
    translate the souce address to an overload of the
    router's ip address on its T1 (marked "nat inside").
    However, I wasn't sure out how to deal with the fact
    that the source address was dynamic.
    
2.  Possibly I could use an "ip local policy" route-map
    to force traffic with the problem source address
    to go out via the Dialer1 interface.  That would
    catch things like ping-replies, wouldn't it?
    (Though, my prior post concerned problems I had
    using "ip local policy" at a similar site...)

3.  Lastly, I considered using VRF to give the Dialer
    its own routing table.  I'm least familiar with
    this approach and, hence, would most appreciate
    feedback here.  Though, if I want to make similar
    changes on similar customer-site routers, I'll
    probably run into version limitation issues.

This particular customer-site router is running 12.3.  We
have similar configurations at other customers with routers
running a range of IOS versions, 12.2 to 12.4.  While we
upgrade customer routers, as we can, so they can support
more recent IOS versions, we're already dealing with
"different configs" for different versions.  But, as much
as we can, we like to minimize the differences...

    
Thanks in advance
--
Bob Tinkelman          <bob at tink.com>
ISPnet, Inc.  http://www.ispnetinc.net

More information about the cisco-nsp mailing list