[c-nsp] route-map & nat predicament

Christopher J. Wargaski wargo1 at gmail.com
Sun Jun 19 14:00:40 EDT 2011 

Chris--

   It appears that the PIX is has a global NAT statement to translate all
dynamic traffic to the x.x.x.5 IP which is the IP on the outside interface.

   I suggest that you leave the x.x.x.5 IP for management of the PIX and
translate all non-VPN outbound traffic to something else, say x.x.x.6. Edit
your route map ACL appropriately so you do not let any traffic from x.x.x.5
go out the ISP-2 path.

cjw


On Sun, Jun 19, 2011 at 11:00 AM, <cisco-nsp-request at puck.nether.net> wrote:

>
> Message: 2
> Date: Sun, 19 Jun 2011 13:05:11 +0200
> From: "Chris Knipe" <savage at savage.za.org>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] route-map & nat predicament
> Message-ID: <00ed01cc2e70$c496be10$4dc43a30$@savage.za.org>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hi All,
>
>
>
> A bit of a tough one that I cannot seem to find a solution for.   Diagram:
>
>
>
>                                  ----- ISP1
>
> PIX --- Cisco 8345
>
>                                  ----- ISP2
>
>
>
> Our PIX is configured with x.x.x.5, whilst the LAN side of the 3847 has
> x.x.x.1.  We have static IPs from ISP1 and ISP2, with a BGP session to ISP2
> but not from ISP1 (by choice, due to bandwidth constraints).  Our default
> route goes out via ISP2.
>
>
>
> What's happening now, is that legacy clients are configured to connect to
> our Cisco PIX (IPSec VPNs) to an IP address assigned from ISP1.  I take
> care
> of this by natting the traffic, and it is working successfully.
>
>
>
> ip nat inside source static x.x.x.5 a.a.a.126
>
>
>
> route-map PolicyRoutes, permit, sequence 10
>
>  Match clauses:
>
>    ip address (access-lists): toISP1
>
>  Set clauses:
>
>    ip next-hop b.b.b.b.233
>
>  Policy routing matches: 8344989 packets, 528857596 bytes
>
>
>
> Extended IP access list toISP1
>
>    10 permit ip a.a.c.68 0.0.0.3 any (24011 matches)
>
>    20 permit ip a.a.b.96 0.0.0.7 any (571600 matches)
>
>    30 permit ip a.a.a.64 0.0.0.63 any (5980125 matches)
>
>    35 permit udp host x.x.x.5 any (2119303 matches)
>
>    40 deny ip any any (19629171 matches)
>
>
>
> The problem now, is that when a user connects directly to the PIX via
> x.x.x.5 instead of a.a.a.126 the return traffic is matched by the
> route-map,
> and sent via ISP1, instead of ISP2.  Removing the route-map or amending the
> access-lists, customers connecting to a.a.a.126 via ISP1, has their return
> traffic sent via ISP2.
>
>
>
> Is there any way that I can send connections from any to a.a.a.126 via
> ISP1,
> and connections from any to x.x.x.5 via ISP2, whilst still keeping the NAT
> in place to nat all traffic to a.a.a.126 ?
>
>
>
> Hope this makes sense.
>
>
>
> --
> Chris.
>
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> End of cisco-nsp Digest, Vol 103, Issue 55
> ******************************************
>

More information about the cisco-nsp mailing list