[c-nsp] PBR with NAT/PAT - strange (non-deterministic) behaviour
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Mar 7 03:02:16 EST 2008
> I have a PBR policy-map applied on each router's Fa0/0 interface
> (ingress). The route-map references an ACL that matches traffic I want
> to send in a direction the routing table would not otherwise have it
> go (i.e. S0/1.x instead of S0/0.x). To ensure symmetric routing, I
> want to source NAT (PAT) traffic leaving the interface to that
> interface's IP. All pretty straight-forward.
>
> Another requirement: if the interface specified by the 'set ip
> next-hop' parameter in the PBR route-map is down (e.g. S0/1.x), I want
> traffic to be routed as normal via S0/0.x (as I understand it should),
> but I want to do the same source NAT/PAT on the other interface -- in
> other words, if the traffic leaves S0/1.x, it should be source NATed
> to S0/1.x's IP and if it leaves S0/0.x, it should leave with S0/0.x's
> IP.
>
[...]
> Here is the (annotated) config from the first router. The other router
> is configured in exactly the same way, apart from interface IPs,
> subint/DLCIs, and the 'set ip next-hop' value in the App01-PBR
> route-map.
>
[...]
> ip nat inside source route-map App01-NAT-FOO1 interface Serial0/1.742
overload
> ip nat inside source route-map App01-NAT-FOO2 interface Serial0/0.740
overload !
> access-list 125 remark ** match HTTP to server 1 **
> access-list 125 permit tcp any host 192.168.91.67 eq www
> access-list 125 remark ** match HTTP to server 2 **
> access-list 125 permit tcp any host 192.168.91.3 eq www
Can you try adding "match interface" to the NAT route-maps? I.e.
route-map App01-NAT-FOO1 permit 10
match ip address 125
match interface Serial0/1.742
and
route-map App01-NAT-FOO2 permit 10
match ip address 125
match interface Serial0/0.740
a similar config is used in an example at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e
xample09186a0080950834.shtml
oli
More information about the cisco-nsp
mailing list