[c-nsp] Multiple NAT & Rerouting Web Traffic
Ray Davis
ray-lists at carpe.net
Mon Aug 30 16:25:31 EDT 2010
Hi y'all,
Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes).
Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the "which interface am I NATing" part occurs before the "which interface do I need to send this packet through" part.
Below are the "relevant" parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN & VoIP Appliance priority stuff. Any clues would be much appreciated!
TIA,
Ray
----------------------------------------------------------------------
interface FastEthernet0/0
description Internal LAN
ip address 192.168.8.254 255.255.255.0
ip nat inside
ip policy route-map RerouteWebTraffic
interface FastEthernet0/1
description Upstream SDSL (123.123.123.104 /29)
ip address 123.123.123.108 255.255.255.248
ip nbar protocol-discovery
ip nat outside
crypto map CustVPNs
service-policy output StarfacePolicy
interface Dialer3
description Upstream VDSL (dynamic ip)
ip nat outside
ip route 0.0.0.0 0.0.0.0 123.123.123.105
ip route 10.0.0.1 255.255.255.255 Dialer3
ip nat inside source route-map sdsl interface FastEthernet0/1 overload
ip nat inside source route-map vdsl interface Dialer3 overload
access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
route-map sdsl permit 10
match ip address NAT_Exempt
!
route-map sdsl permit 20
match interface FastEthernet0/1
!
route-map vdsl permit 10
match interface Dialer3
!
route-map RerouteWebTraffic permit 10
match ip address 110
set ip default next-hop 10.0.0.1
----------------------------------------------------------------------
I also tried this instead of the next-hop route-map above, but no-workie:
route-map RerouteWebTraffic permit 10
match ip address 110
set interface Dialer3
===== Whole Config ===================================================
!
! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray
! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname cust-wi-r0
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 blablabla
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauth_list local
aaa authentication ppp default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.8.0 192.168.8.9
ip dhcp excluded-address 192.168.8.200 192.168.8.254
!
ip dhcp pool cust-wi-internal
network 192.168.8.0 255.255.255.0
default-router 192.168.8.254
dns-server 192.168.8.1
!
ip dhcp pool ORACLE
host 192.168.8.25 255.255.255.0
hardware-address 0019.991b.fb4a
client-name ORACLE
!
ip dhcp pool DSS
host 192.168.8.66 255.255.255.0
hardware-address 0016.7674.6195
client-name DSS
!
ip dhcp pool LEXMARK
host 192.168.8.99 255.255.255.0
hardware-address 00c0.026a.03bd
client-name LEXMARK
!
ip dhcp pool NPI29E03B
host 192.168.8.22 255.255.255.0
hardware-address 001f.2929.e03b
client-name NPI29E03B
!
ip dhcp pool HP_LaserJet_Flur
host 192.168.8.16 255.255.255.0
hardware-address 001f.2928.79da
client-name HP_LaserJet_Flur
!
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name Internal_FE00 tcp
ip inspect name Internal_FE00 udp
ip inspect name Internal_FE00 cuseeme
ip inspect name Internal_FE00 ftp
ip inspect name Internal_FE00 h323
ip inspect name Internal_FE00 rcmd
ip inspect name Internal_FE00 realaudio
ip inspect name Internal_FE00 streamworks
ip inspect name Internal_FE00 vdolive
ip inspect name Internal_FE00 tftp
ip inspect name Internal_FE00 ntp
ip inspect name Internal_FE00 sip
ip inspect name Internal_FE00 sip-tls
ip inspect name External_FE01 smtp
ip inspect name External_FE01 tcp
ip inspect name External_FE01 udp
no ip bootp server
ip domain name blablabla.net
ip name-server 101.102.103.138
ip name-server 103.102.101.153
!
multilink bundle-name authenticated
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-545859614
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-545859614
revocation-check none
rsakeypair TP-self-signed-545859614
!
!
crypto pki certificate chain TP-self-signed-545859614
certificate self-signed 01
30820253 308201BC 6E65642D 43657274 (...junk...)
quit
!
!
username foo password 7 blablabla
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key blablabla address 1.2.3.4 no-xauth
crypto isakmp key blablabla address 5.6.7.8 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CustVPNs 10 ipsec-isakmp
description VPN RemoteOffice1 (1.2.3.4)
set peer 1.2.3.4
set transform-set ESP-3DES-SHA
match address VPN_RemoteOffice1
crypto map CustVPNs 20 ipsec-isakmp
description VPN RemoteOffice2 (5.6.7.8)
set peer 5.6.7.8
set transform-set ESP-3DES-SHA
match address VPN_RemoteOffice2
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any StarfaceTraffic
match access-group name Starface
!
!
policy-map StarfacePolicy
class StarfaceTraffic
priority percent 70
class class-default
fair-queue
!
!
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.8.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip inspect Internal_FE00 in
ip nat inside
ip virtual-reassembly
ip policy route-map RerouteWebTraffic
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Upstream SDSL (123.123.123.104 /29)
bandwidth 5836
ip address 123.123.123.108 255.255.255.248
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip inspect External_FE01 in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map CustVPNs
service-policy output StarfacePolicy
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
switchport access vlan 3
!
interface FastEthernet0/3/3
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
no ip proxy-arp
ip tcp adjust-mss 1452
no ip mroute-cache
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Vlan3
no ip address
no ip proxy-arp
ip tcp adjust-mss 1452
no ip mroute-cache
pppoe enable group global
pppoe-client dial-pool-number 3
!
interface Dialer2
description Pay no attention the man behind the curtain! (currently unused)
mtu 1456
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 30
dialer hold-queue 100
dialer-group 2
no keepalive
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username kakamole-static password 7 blablabla
!
interface Dialer3
description Upstream VDSL (dynamic ip)
mtu 1456
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
dialer hold-queue 100
dialer-group 3
no keepalive
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username foobarmumble password 7 blablabla
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 123.123.123.105
ip route 10.0.0.1 255.255.255.255 Dialer3
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map sdsl interface FastEthernet0/1 overload
ip nat inside source route-map vdsl interface Dialer3 overload
ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 extendable
ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 extendable
ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 extendable
ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 extendable
ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 extendable
!
ip access-list extended NAT_Exempt
deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 any
ip access-list extended Starface
permit ip any host 192.168.68.200
permit ip host 192.168.68.200 any
ip access-list extended VPN_RemoteOffice2
permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPN_RemoteOffice1
permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
!
access-list 23 permit 192.168.8.0 0.0.0.255
access-list 23 permit 212.96.136.32 0.0.0.31
access-list 101 remark ***** ACL on Inbound Interface *****
access-list 101 remark *** allow ssh/telnet to this router (but see acl 170)
access-list 101 permit tcp any host 123.123.123.108 eq 22
access-list 101 permit tcp any host 123.123.123.108 eq telnet
access-list 101 remark *** allow icmp
access-list 101 permit icmp any any
access-list 101 remark *** allow to 192.168.68.1
access-list 101 permit tcp any host 123.123.123.108 eq 143
access-list 101 permit tcp any host 123.123.123.108 eq 1723
access-list 101 permit gre any host 123.123.123.108
access-list 101 remark *** allow to 192.168.68.200
access-list 101 permit tcp any host 123.123.123.108 eq 5222
access-list 101 deny ip any any
access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 170 remark ***** allowed telnet access
access-list 170 permit ip 192.168.6.0 0.0.0.255 any
access-list 170 deny ip any any log
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
no cdp run
!
!
route-map sdsl permit 10
match ip address NAT_Exempt
!
route-map sdsl permit 20
match interface FastEthernet0/1
!
route-map vdsl permit 10
match interface Dialer3
!
route-map RerouteWebTraffic permit 10
match ip address 110
set ip default next-hop 10.0.0.1
!
route-map nonat permit 10
match ip address NAT_Exempt
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 blablabla
transport output all
escape-character 27
line aux 0
exec-timeout 0 0
password 7 blablabla
transport output all
escape-character 27
line vty 0 4
access-class 170 in
exec-timeout 60 0
privilege level 15
password 7 blablabla
transport input telnet ssh
transport output all
escape-character 27
line vty 5 15
access-class 170 in
privilege level 15
password 7 blablabla
transport input telnet ssh
transport output all
escape-character 27
!
scheduler allocate 20000 1000
end
----------------------------------------------------------------------
More information about the cisco-nsp
mailing list