[c-nsp] route-map & nat predicament
Christopher J. Wargaski
wargo1 at gmail.com
Sun Jun 19 14:00:40 EDT 2011
Chris--
It appears that the PIX is has a global NAT statement to translate all
dynamic traffic to the x.x.x.5 IP which is the IP on the outside interface.
I suggest that you leave the x.x.x.5 IP for management of the PIX and
translate all non-VPN outbound traffic to something else, say x.x.x.6. Edit
your route map ACL appropriately so you do not let any traffic from x.x.x.5
go out the ISP-2 path.
cjw
On Sun, Jun 19, 2011 at 11:00 AM, <cisco-nsp-request at puck.nether.net> wrote:
>
> Message: 2
> Date: Sun, 19 Jun 2011 13:05:11 +0200
> From: "Chris Knipe" <savage at savage.za.org>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] route-map & nat predicament
> Message-ID: <00ed01cc2e70$c496be10$4dc43a30$@savage.za.org>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi All,
>
>
>
> A bit of a tough one that I cannot seem to find a solution for. Diagram:
>
>
>
> ----- ISP1
>
> PIX --- Cisco 8345
>
> ----- ISP2
>
>
>
> Our PIX is configured with x.x.x.5, whilst the LAN side of the 3847 has
> x.x.x.1. We have static IPs from ISP1 and ISP2, with a BGP session to ISP2
> but not from ISP1 (by choice, due to bandwidth constraints). Our default
> route goes out via ISP2.
>
>
>
> What's happening now, is that legacy clients are configured to connect to
> our Cisco PIX (IPSec VPNs) to an IP address assigned from ISP1. I take
> care
> of this by natting the traffic, and it is working successfully.
>
>
>
> ip nat inside source static x.x.x.5 a.a.a.126
>
>
>
> route-map PolicyRoutes, permit, sequence 10
>
> Match clauses:
>
> ip address (access-lists): toISP1
>
> Set clauses:
>
> ip next-hop b.b.b.b.233
>
> Policy routing matches: 8344989 packets, 528857596 bytes
>
>
>
> Extended IP access list toISP1
>
> 10 permit ip a.a.c.68 0.0.0.3 any (24011 matches)
>
> 20 permit ip a.a.b.96 0.0.0.7 any (571600 matches)
>
> 30 permit ip a.a.a.64 0.0.0.63 any (5980125 matches)
>
> 35 permit udp host x.x.x.5 any (2119303 matches)
>
> 40 deny ip any any (19629171 matches)
>
>
>
> The problem now, is that when a user connects directly to the PIX via
> x.x.x.5 instead of a.a.a.126 the return traffic is matched by the
> route-map,
> and sent via ISP1, instead of ISP2. Removing the route-map or amending the
> access-lists, customers connecting to a.a.a.126 via ISP1, has their return
> traffic sent via ISP2.
>
>
>
> Is there any way that I can send connections from any to a.a.a.126 via
> ISP1,
> and connections from any to x.x.x.5 via ISP2, whilst still keeping the NAT
> in place to nat all traffic to a.a.a.126 ?
>
>
>
> Hope this makes sense.
>
>
>
> --
> Chris.
>
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 103, Issue 55
> ******************************************
>
More information about the cisco-nsp
mailing list