[c-nsp] Multiple NAT & Rerouting Web Traffic

Roger Wiklund roger.wiklund at gmail.com
Tue Aug 31 09:59:31 EDT 2010 

Here is the NAT order of operations in a Cisco router:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1

I just put something together in the lab, not sure if this is what you
want to accomplish, but it works like this:

interface FastEthernet0/0
 INSIDE INTERFACE
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map PBR
 speed 100
 full-duplex
!
interface FastEthernet0/1
 OUTSIDE 1 (your ethernet)
 ip address 172.18.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet1/0
 OUTSIDE 2 (your Dialer3)
 ip address 10.10.10.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex

This is just to simulate Internet access on both routers. Behind Fa0/1
is a router with a loopback that has 1.1.1.1/24, the same goes for
Fa1/0.

ip route 0.0.0.0 0.0.0.0 172.18.1.2
ip route 0.0.0.0 0.0.0.0 10.10.10.2
!
standard PAT config. ACL 100 denys ICMP. Which means that SNMP will
never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS
deny.

ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
!
access-list 100 deny   icmp any any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Then we do PBR, basically when the protocol is ICMP. Send it out of
the Fa1/0 interface (Dialer3, again this should be web traffic for
you)
access-list 150 permit icmp any any
!
!
route-map PBR permit 10
 match ip address 150
 set interface FastEthernet1/0

So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to
Fa1/0, and it gets NAT:ed
isp2>
*Mar  1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar  1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar  1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar  1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar  1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1

And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will
just NAT it to Fa0/1.

client#telnet 1.1.1.1
Trying 1.1.1.1 ... Open


User Access Verification

Password:
isp1>

Again, I'm not sure this will suit your environment. but perhaps you
can get something from it ..

Regards
Roger



On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis <ray-lists at carpe.net> wrote:
> Hi y'all,
>
> Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces.  Both need to do NAT (private IPs inside).  One is the default route, the other should be used for web traffic.  After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP.  I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes).
>
> Has anyone done this?  Is it even possible with IOS or am I missing something here?  It seems like the "which interface am I NATing" part occurs before the "which interface do I need to send this packet through" part.
>
> Below are the "relevant" parts of this config first, then the whole config (in case something else is mucking me up).  There is also some VPN & VoIP Appliance priority stuff.  Any clues would be much appreciated!
>
> TIA,
> Ray
>
> ----------------------------------------------------------------------
>
> interface FastEthernet0/0
> description Internal LAN
> ip address 192.168.8.254 255.255.255.0
> ip nat inside
> ip policy route-map RerouteWebTraffic
>
> interface FastEthernet0/1
> description Upstream SDSL (123.123.123.104 /29)
> ip address 123.123.123.108 255.255.255.248
> ip nbar protocol-discovery
> ip nat outside
> crypto map CustVPNs
> service-policy output StarfacePolicy
>
> interface Dialer3
> description Upstream VDSL (dynamic ip)
> ip nat outside
>
> ip route 0.0.0.0 0.0.0.0 123.123.123.105
> ip route 10.0.0.1 255.255.255.255 Dialer3
>
> ip nat inside source route-map sdsl interface FastEthernet0/1 overload
> ip nat inside source route-map vdsl interface Dialer3 overload
>
> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
> access-list 110 permit tcp any any eq www
> access-list 110 permit tcp any any eq 443
>
> route-map sdsl permit 10
> match ip address NAT_Exempt
> !
> route-map sdsl permit 20
> match interface FastEthernet0/1
> !
> route-map vdsl permit 10
> match interface Dialer3
> !
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set ip default next-hop 10.0.0.1
>
> ----------------------------------------------------------------------
>
> I also tried this instead of the next-hop route-map above, but no-workie:
>
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set interface Dialer3
>
> ===== Whole Config ===================================================
>
> !
> ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray
> ! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray
> !
> version 12.4
> service nagle
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> !
> hostname cust-wi-r0
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200
> logging console critical
> enable secret 5 blablabla
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login xauth_list local
> aaa authentication ppp default local
> aaa authorization exec default local
> !
> !
> aaa session-id common
> clock timezone CET 1
> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
> dot11 syslog
> no ip source-route
> ip cef
> !
> !
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.8.0 192.168.8.9
> ip dhcp excluded-address 192.168.8.200 192.168.8.254
> !
> ip dhcp pool cust-wi-internal
> network 192.168.8.0 255.255.255.0
> default-router 192.168.8.254
> dns-server 192.168.8.1
> !
> ip dhcp pool ORACLE
> host 192.168.8.25 255.255.255.0
> hardware-address 0019.991b.fb4a
> client-name ORACLE
> !
> ip dhcp pool DSS
> host 192.168.8.66 255.255.255.0
> hardware-address 0016.7674.6195
> client-name DSS
> !
> ip dhcp pool LEXMARK
> host 192.168.8.99 255.255.255.0
> hardware-address 00c0.026a.03bd
> client-name LEXMARK
> !
> ip dhcp pool NPI29E03B
> host 192.168.8.22 255.255.255.0
> hardware-address 001f.2929.e03b
> client-name NPI29E03B
> !
> ip dhcp pool HP_LaserJet_Flur
> host 192.168.8.16 255.255.255.0
> hardware-address 001f.2928.79da
> client-name HP_LaserJet_Flur
> !
> !
> ip inspect max-incomplete high 1100
> ip inspect max-incomplete low 900
> ip inspect one-minute high 1100
> ip inspect one-minute low 900
> ip inspect name Internal_FE00 tcp
> ip inspect name Internal_FE00 udp
> ip inspect name Internal_FE00 cuseeme
> ip inspect name Internal_FE00 ftp
> ip inspect name Internal_FE00 h323
> ip inspect name Internal_FE00 rcmd
> ip inspect name Internal_FE00 realaudio
> ip inspect name Internal_FE00 streamworks
> ip inspect name Internal_FE00 vdolive
> ip inspect name Internal_FE00 tftp
> ip inspect name Internal_FE00 ntp
> ip inspect name Internal_FE00 sip
> ip inspect name Internal_FE00 sip-tls
> ip inspect name External_FE01 smtp
> ip inspect name External_FE01 tcp
> ip inspect name External_FE01 udp
> no ip bootp server
> ip domain name blablabla.net
> ip name-server 101.102.103.138
> ip name-server 103.102.101.153
> !
> multilink bundle-name authenticated
> vpdn enable
> !
> !
> !
> crypto pki trustpoint TP-self-signed-545859614
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-545859614
> revocation-check none
> rsakeypair TP-self-signed-545859614
> !
> !
> crypto pki certificate chain TP-self-signed-545859614
> certificate self-signed 01
> 30820253 308201BC 6E65642D 43657274 (...junk...)
>     quit
> !
> !
> username foo password 7 blablabla
> archive
> log config
> hidekeys
> !
> !
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key blablabla address 1.2.3.4 no-xauth
> crypto isakmp key blablabla address 5.6.7.8 no-xauth
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto map CustVPNs 10 ipsec-isakmp
> description VPN RemoteOffice1 (1.2.3.4)
> set peer 1.2.3.4
> set transform-set ESP-3DES-SHA
> match address VPN_RemoteOffice1
> crypto map CustVPNs 20 ipsec-isakmp
> description VPN RemoteOffice2 (5.6.7.8)
> set peer 5.6.7.8
> set transform-set ESP-3DES-SHA
> match address VPN_RemoteOffice2
> !
> !
> !
> ip tcp synwait-time 10
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> class-map match-any StarfaceTraffic
> match access-group name Starface
> !
> !
> policy-map StarfacePolicy
> class StarfaceTraffic
> priority percent 70
> class class-default
> fair-queue
> !
> !
> !
> !
> interface FastEthernet0/0
> description Internal LAN
> ip address 192.168.8.254 255.255.255.0
> no ip redirects
> no ip proxy-arp
> ip inspect Internal_FE00 in
> ip nat inside
> ip virtual-reassembly
> ip policy route-map RerouteWebTraffic
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> !
> interface FastEthernet0/1
> description Upstream SDSL (123.123.123.104 /29)
> bandwidth 5836
> ip address 123.123.123.108 255.255.255.248
> no ip redirects
> no ip proxy-arp
> ip nbar protocol-discovery
> ip inspect External_FE01 in
> ip nat outside
> ip virtual-reassembly
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> crypto map CustVPNs
> service-policy output StarfacePolicy
> !
> interface FastEthernet0/3/0
> !
> interface FastEthernet0/3/1
> !
> interface FastEthernet0/3/2
> switchport access vlan 3
> !
> interface FastEthernet0/3/3
> switchport access vlan 2
> !
> interface Vlan1
> no ip address
> !
> interface Vlan2
> no ip address
> no ip proxy-arp
> ip tcp adjust-mss 1452
> no ip mroute-cache
> pppoe enable group global
> pppoe-client dial-pool-number 2
> !
> interface Vlan3
> no ip address
> no ip proxy-arp
> ip tcp adjust-mss 1452
> no ip mroute-cache
> pppoe enable group global
> pppoe-client dial-pool-number 3
> !
> interface Dialer2
> description Pay no attention the man behind the curtain! (currently unused)
> mtu 1456
> ip address negotiated
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 2
> dialer idle-timeout 30
> dialer hold-queue 100
> dialer-group 2
> no keepalive
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username kakamole-static password 7 blablabla
> !
> interface Dialer3
> description Upstream VDSL (dynamic ip)
> mtu 1456
> ip address negotiated
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 3
> dialer hold-queue 100
> dialer-group 3
> no keepalive
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username foobarmumble password 7 blablabla
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 123.123.123.105
> ip route 10.0.0.1 255.255.255.255 Dialer3
> !
> ip http server
> ip http access-class 23
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source route-map sdsl interface FastEthernet0/1 overload
> ip nat inside source route-map vdsl interface Dialer3 overload
> ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 extendable
> ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 extendable
> ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 extendable
> ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 extendable
> ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 extendable
> !
> ip access-list extended NAT_Exempt
> deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
> deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
> permit ip 192.168.8.0 0.0.0.255 any
> ip access-list extended Starface
> permit ip any host 192.168.68.200
> permit ip host 192.168.68.200 any
> ip access-list extended VPN_RemoteOffice2
> permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
> ip access-list extended VPN_RemoteOffice1
> permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
> !
> access-list 23 permit 192.168.8.0 0.0.0.255
> access-list 23 permit 212.96.136.32 0.0.0.31
> access-list 101 remark ***** ACL on Inbound Interface *****
> access-list 101 remark *** allow ssh/telnet to this router (but see acl 170)
> access-list 101 permit tcp any host 123.123.123.108 eq 22
> access-list 101 permit tcp any host 123.123.123.108 eq telnet
> access-list 101 remark *** allow icmp
> access-list 101 permit icmp any any
> access-list 101 remark *** allow to 192.168.68.1
> access-list 101 permit tcp any host 123.123.123.108 eq 143
> access-list 101 permit tcp any host 123.123.123.108 eq 1723
> access-list 101 permit gre any host 123.123.123.108
> access-list 101 remark *** allow to 192.168.68.200
> access-list 101 permit tcp any host 123.123.123.108 eq 5222
> access-list 101 deny   ip any any
> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
> access-list 110 permit tcp any any eq www
> access-list 110 permit tcp any any eq 443
> access-list 170 remark ***** allowed telnet access
> access-list 170 permit ip 192.168.6.0 0.0.0.255 any
> access-list 170 deny   ip any any log
> dialer-list 2 protocol ip permit
> dialer-list 3 protocol ip permit
> no cdp run
> !
> !
> route-map sdsl permit 10
> match ip address NAT_Exempt
> !
> route-map sdsl permit 20
> match interface FastEthernet0/1
> !
> route-map vdsl permit 10
> match interface Dialer3
> !
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set ip default next-hop 10.0.0.1
> !
> route-map nonat permit 10
> match ip address NAT_Exempt
> !
> !
> !
> control-plane
> !
> line con 0
> exec-timeout 0 0
> password 7 blablabla
> transport output all
> escape-character 27
> line aux 0
> exec-timeout 0 0
> password 7 blablabla
> transport output all
> escape-character 27
> line vty 0 4
> access-class 170 in
> exec-timeout 60 0
> privilege level 15
> password 7 blablabla
> transport input telnet ssh
> transport output all
> escape-character 27
> line vty 5 15
> access-class 170 in
> privilege level 15
> password 7 blablabla
> transport input telnet ssh
> transport output all
> escape-character 27
> !
> scheduler allocate 20000 1000
> end
> ----------------------------------------------------------------------
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list