[c-nsp] Dual Homing and NAT via route-maps

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Fri Jan 16 15:05:48 EST 2009 

I ran into similar issues a long time ago if trying to NAT overload an
interface. 
The solution is to create a nat pool with that single outside interface
IP address and overload on the NAT pool. 

I can remember at least two instances in the past which have
successfully enabled me to reach the router via the outside interface
even though it was the outside interface and its IP address was being
used as the PAT address. 
 
Vijay Ramcharan 
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn
Sent: Friday, January 09, 2009 12:23
To: Jeremy Parr
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Dual Homing and NAT via route-maps

Get 'debug ip nat detailed' when you try to do the SSH.

I bet it's one of those "denying locally generated packets"
form bein'g nat'ed on the way back out issues.

Try putting a deny in the route-map instance referencing an
ACL that blocks any packets with a src ip of the outside interface
addresses.

Or explicitly match the ip inside subnet and deny all others.

Rodney



On Fri, Jan 09, 2009 at 11:26:23AM -0500, Jeremy Parr wrote:
> One can multi-home a router via object tracking, this works just fine.
> When NAT is added to the mix, things seem to get ugly and broken. The
> "ip nat inside" statement isn't applied with an access list as the
> argument, but rather a route-map. As soon as the ip nat statement is
> in use, the router can no longer be sshed to, or telneted to on either
> external interface. Port forwards to internal hosts continue to work.
> Below is an example config. If the line "ip nat inside source
> route-map BGC interface FastEthernet0 overload" is removed, or the
> line "route-map BGC permit 10", I am able to telnet/ssh to the router.
> Any ideas? I have tested this on various IOS revisions, currently
> running bleeding edge 12.4(11)XW9, but the latest in the T train
> behaves the same.
> 
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> !
> !
> !
> !
> !
> ip cef
> !
> !
> !
> multilink bundle-name authenticated
> !
> !
> archive
>  log config
>   hidekeys
> !
> !
> !
> track 1 rtr 1 reachability
> !
> !
> !
> interface FastEthernet0
>  ip address 172.16.10.99 255.255.255.0
>  ip nat outside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
> !
> interface FastEthernet1
>  ip address 1.1.1.2 255.255.255.0
>  ip nat outside
>  ip virtual-reassembly
>  duplex auto
>  speed auto
> !
> interface FastEthernet2
> !
> interface FastEthernet3
>  shutdown
> !
> interface FastEthernet4
> !
> interface FastEthernet5
>  shutdown
> !
> interface FastEthernet6
>  shutdown
> !
> interface FastEthernet7
>  shutdown
> !
> interface FastEthernet8
>  shutdown
> !
> interface FastEthernet9
>  shutdown
> !
> interface Dot11Radio0
>  no ip address
>  shutdown
>  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
> 36.0 48.0 54.0
>  station-role root
> !
> interface Dot11Radio1
>  no ip address
>  shutdown
>  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
>  station-role root
> !
> interface Vlan1
>  no ip address
>  ip nat inside
>  ip virtual-reassembly
> !
> interface Async1
>  no ip address
>  encapsulation slip
> !
> router eigrp 1
>  network 192.168.1.0
>  auto-summary
> !
> ip route 0.0.0.0 0.0.0.0 172.16.10.1 track 1
> ip route 0.0.0.0 0.0.0.0 1.1.1.1 254
> !
> !
> no ip http server
> no ip http secure-server
> ip nat inside source route-map BGC interface FastEthernet0 overload
> ip nat inside source route-map Backup interface FastEthernet1 overload
> !
> ip sla 1
>  icmp-echo 172.16.10.1
>  timeout 1000
>  threshold 2
>  frequency 3
> ip sla schedule 1 life forever start-time now
> !
> !
> !
> route-map Backup permit 10
>  match interface FastEthernet1
> !
> route-map BGC permit 10
>  match interface FastEthernet0
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> line 1
>  modem InOut
>  stopbits 1
>  speed 115200
>  flowcontrol hardware
> line aux 0
> line vty 0 4
>  password beans
>  login
> !
> 
> !
> webvpn cef
> end
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list