[c-nsp] NAt issue - two isp connections, need to nat 2nd isp for two dest addresses only
Reuben Farrelly
reuben-cisco-nsp at reub.net
Fri Apr 19 04:57:50 EDT 2013
Yes it certainly should work, however I found that it doesn't always
work properly, specifically for SIP traffic (TCP and UDP traffic worked
fine). The SIP ALG is broken and you'll find traffic will exit one
interface but the SIP ALG will sometimes rewrite the SIP header to have
the other interfaces' outside IP.
It looked like an elegant solution to a simple problem; the config I had
was something like this:
route-map internet-nat-access permit 10
match interface FastEthernet0/1
!
route-map tunnel-nat-access permit 10
match interface Tunnel0
ip nat inside source route-map internet-nat-access interface
FastEthernet0/1 overload
ip nat inside source route-map tunnel-nat-access interface Tunnel0 overload
I was controlling which interface the traffic went out with static
routes. Disabling the SIP ALG didn't resolve the problem either.
I had a TAC case open for over 15 months in which I had a 100%
reproducible test case across multiple platforms and multiple versions
of IOS, and eventually after much "persistence" and 3 or so TAC
engineers later, TAC agreed that yes, it was indeed a bug.
It was raised as CSCue13042 in January (SR 619832003).
Unfortunately, and to my extreme frustration, it changed status without
warning to "Terminated (Unreproducible)" just last week.
So - YMMV. The config suggested "mostly" works. Which is more than I
can say for TAC in this instance.
Reuben
On 19/04/2013 5:03 PM, CCIE Ninja wrote:
> I guess this would work, if you match on outgoing interface?
>
> route-map SP_A_NAT
> match interface $MY_OUTGOING_INTERFACE
>
> ip nat inside source 155.1.5.5 155.1.13.7 route-map SP_A_NAT
More information about the cisco-nsp
mailing list