[c-nsp] Dual Homing and NAT via route-maps

Jeremy Parr jeremyparr at gmail.com
Fri Jan 9 11:26:23 EST 2009 

One can multi-home a router via object tracking, this works just fine.
When NAT is added to the mix, things seem to get ugly and broken. The
"ip nat inside" statement isn't applied with an access list as the
argument, but rather a route-map. As soon as the ip nat statement is
in use, the router can no longer be sshed to, or telneted to on either
external interface. Port forwards to internal hosts continue to work.
Below is an example config. If the line "ip nat inside source
route-map BGC interface FastEthernet0 overload" is removed, or the
line "route-map BGC permit 10", I am able to telnet/ssh to the router.
Any ideas? I have tested this on various IOS revisions, currently
running bleeding edge 12.4(11)XW9, but the latest in the T train
behaves the same.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
!
!
track 1 rtr 1 reachability
!
!
!
interface FastEthernet0
 ip address 172.16.10.99 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address 1.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
router eigrp 1
 network 192.168.1.0
 auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1
ip route 0.0.0.0 0.0.0.0 1.1.1.1 254
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map BGC interface FastEthernet0 overload
ip nat inside source route-map Backup interface FastEthernet1 overload
!
ip sla 1
 icmp-echo 172.16.10.1
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 1 life forever start-time now
!
!
!
route-map Backup permit 10
 match interface FastEthernet1
!
route-map BGC permit 10
 match interface FastEthernet0
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password beans
 login
!

!
webvpn cef
end

More information about the cisco-nsp mailing list