[c-nsp] asymmetric multihoming & nat

Pete Lumbis alumbis at gmail.com
Mon Jan 24 14:56:42 EST 2011


Adam,

I realized (with the help of an off-list post) I mis-read your
original post. I thought this was on two different devices, instead of
two connections on the same device.

For a single box the NAT lookups are done when traffic arrives on any
nat inside/outside interface*. If we create a translation for a packet
exiting f0/0 (for example) and the response arrives on f0/1, we will
see the packet arriving on a NAT outside interface, do the NAT lookup
and match the existing translation that was created by the first
outbound packet.

What kind of problems are you seeing? Is traffic slow or not arriving at all?

*based on NAT order of ops when traffic arrives on a NAT interface and
is destined for a NAT interface

-Pete

On Fri, Jan 21, 2011 at 6:05 PM, Pete Lumbis <alumbis at gmail.com> wrote:
> NAT could definitely be causing issues. Generally you could use
> something like Stateful NAT (SNAT) between the two BGP speakers to
> make sure they sync their NAT tables, but this this feature has had a
> number of challenges/issues and development and started moving it to
> end of life.
>
>
>
> On Fri, Jan 21, 2011 at 4:09 PM, Adam Greene <maillist at webjogger.net> wrote:
>> Hi guys,
>>
>> I have a multihomed customer who receives full BGP routes from both us and
>> another provider and load balances between the two connections. Things are
>> working fine until the traffic becomes asymmetric (i.e. inbound through one
>> provider, outbound through the other).
>>
>> The block they are announcing to their providers is NATed on their BGP
>> router. In other words, all their internal hosts are on private IP space.
>> The internal interface is designated "ip nat inside" and both WAN interfaces
>> are designated "ip nat outside". The actual NAT configurations do not
>> reference any interfaces, just pools.
>>
>> Could the NAT be prohibiting asymmetric traffic in this case? i.e. if the
>> inbound traffic is NATed coming in on one interface, will the router refuse
>> to NAT the outbound traffic through the other interface?
>>
>> If the NAT is the problem, I suppose they could do the NAT on a loopback
>> interface instead ... but I understand that the traffic will all be
>> process-switched if we do that, and performance will probably suffer.
>>
>> Thanks for your insight,
>> Adam
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>



More information about the cisco-nsp mailing list