[c-nsp] NAT out via loopback

Varaillon Jean Christophe j.varaillon at cosmoline.com
Tue Nov 18 05:49:46 EST 2008


Hi,

This might be far from answering your question but why the 3560 are not
behind the 2851? Why is the 2851 not directly connected to the ISP? Wouldn't
this be simpler to set-up your NAT?


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Behl
Sent: Tuesday, November 18, 2008 3:43 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT out via loopback

i've got two 3560s, each with a privately addressed point-to-point link
to a 2851 (a trunked gig interface for each) and both connected to an ISP:


ISP---3560----p2p-----
                               2851
ISP---3560----p2p-----

The 3560s are connected to the ISP and have a public /25 routed to them
via p2p links.  They also have a number of private networks that contain
numerous hosts that they act as the gateway for (HSRP).  The 3560s
advertise a default route via ospf which is picked up by the 2851. They
also have a static default pointing to the ISP.

The 2851 has a couple public /32 addresses on loopbacks which are
advertised via ospf and picked up by the 3560s (i've split the /25 into
a few different blocks).   One of them acts as a static IPSEC/GRE VPN
tunnel endpoint, and I'd like the other to be an external NAT
interface.  The reason for this setup was to be able to maintain the VPN
link during the loss of one of the switches.  To this end everything is
working as expected, at least in terms of the VPN tunnel.

But now the trickier part...I'd like some of the hosts on the private
networks for which the 3560s are doing the routing to be able to get to
the internet via NAT.  As the 3560s don't do NAT, it has to be the 2851
that does it.  I'm looking for suggestions on the most elegant solution
for doing this??  Basically, one of the loopbacks on the 2851 would be
the outgoing IP address for NAT translations. Though I've not used VRFs
before, I'm getting inklings they could be used in a scenario such as
this?  The other solution seems to be some sort of policy based
routing.  I've used policy based routing in the past to direct traffic
that needs to be NATd from a switch to a router but it was as little
simpler in that the router's outgoing NAT address was just a normal
sub-interface and not a loopback. 

Thanks for any help.
jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 

__________ Information from ESET Smart Security, version of virus signature
database 3620 (20081118) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
 

__________ Information from ESET Smart Security, version of virus signature
database 3620 (20081118) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 



More information about the cisco-nsp mailing list