[c-nsp] NAT out via loopback

Jeff Behl jbehl at estalea.com
Tue Nov 18 14:02:32 EST 2008 

Redundancy.  There is a hot/standby loadbalancer pair in the setup
below, one connected to each switch, which sends traffic to the hosts
connected to the 3560s.  The hosts are dual homed to each 3560, using a
bonded interface with ARP poling.  With this setup I can lose the ISP or
an entire switch and things keep on chugging...the site stays up.  
Losing the router just means the loss of the VPN link and outgoing NAT,
which isn't essential.


I actually managed to get things working last night through a serials of
route-maps/policy routing.  It's basically NAT on a stick as described:

http://tinyurl.com/7ixb

jeff

Varaillon Jean Christophe wrote:
> Hi,
>
> This might be far from answering your question but why the 3560 are not
> behind the 2851? Why is the 2851 not directly connected to the ISP? Wouldn't
> this be simpler to set-up your NAT?
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Behl
> Sent: Tuesday, November 18, 2008 3:43 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT out via loopback
>
> i've got two 3560s, each with a privately addressed point-to-point link
> to a 2851 (a trunked gig interface for each) and both connected to an ISP:
>
>
> ISP---3560----p2p-----
>                                2851
> ISP---3560----p2p-----
>
> The 3560s are connected to the ISP and have a public /25 routed to them
> via p2p links.  They also have a number of private networks that contain
> numerous hosts that they act as the gateway for (HSRP).  The 3560s
> advertise a default route via ospf which is picked up by the 2851. They
> also have a static default pointing to the ISP.
>
> The 2851 has a couple public /32 addresses on loopbacks which are
> advertised via ospf and picked up by the 3560s (i've split the /25 into
> a few different blocks).   One of them acts as a static IPSEC/GRE VPN
> tunnel endpoint, and I'd like the other to be an external NAT
> interface.  The reason for this setup was to be able to maintain the VPN
> link during the loss of one of the switches.  To this end everything is
> working as expected, at least in terms of the VPN tunnel.
>
> But now the trickier part...I'd like some of the hosts on the private
> networks for which the 3560s are doing the routing to be able to get to
> the internet via NAT.  As the 3560s don't do NAT, it has to be the 2851
> that does it.  I'm looking for suggestions on the most elegant solution
> for doing this??  Basically, one of the loopbacks on the 2851 would be
> the outgoing IP address for NAT translations. Though I've not used VRFs
> before, I'm getting inklings they could be used in a scenario such as
> this?  The other solution seems to be some sort of policy based
> routing.  I've used policy based routing in the past to direct traffic
> that needs to be NATd from a switch to a router but it was as little
> simpler in that the router's outgoing NAT address was just a normal
> sub-interface and not a loopback. 
>
> Thanks for any help.
> jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3620 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>  
>  
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3620 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>  
>
>

More information about the cisco-nsp mailing list