3

I have a feeling the answer is policy-routing, but I'd like someone to clarify that.

Basically I'm not having any luck getting NAT to work with two WAN interfaces.

I have two WAN interfaces: fe0/1 (static, 200.200.200.2/30, gw 200.200.200.1/30) and fe0/0/0 (Dialer1).

I've setup permanent static routes for various IPs to route out through fe0/1. I believe this is working ok -- I can traceroute from the IOS shell and it's going out fe0/1. I also have NAT working for Dialer1; machines on the LAN can get out without issue. However, machines on the LAN cannot get out on fe0/1 (ping static.routed.ip.address doesn't work).

Here's what I have in my config that's relevant:

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface Dialer1 overload

I've tried adding a pool and associating it with access-list 1; I also created another access-list 15 with the same LAN ip network address, but they all just seem to "replace" the NAT scheme so that my static routes work for fe0/1 (tested from LAN with ping static.routed.ip.address), but stop working for Dialer1 (fe0/0/0).

Policy-routing the only way to go here?

EDIT

I should clarify that yes, I do need to NAT overload out both interfaces: I chose to setup static routes over policy routes because I don't really care what the source IP/mask is, but the destination: any LAN packet that matches the destination address of my static routes needs to go out the fe0/1 WAN interface.

Like I said, this works from the router at all times and does work from the LAN if I run: ip nat inside source list 1 interface FastEthernet0/1 overload but that kills outbound NAT for the Dialer1 (default route) and thus all other outbound traffic.

WuckaChucka
  • 375
  • 3
  • 8
  • 23
  • Did you try using some debug command as well as some show commands like Kyle Brandt suggest ? From my point of view your config is OK. It should only apply NAT on source 192.168.0.0/24 when going out do Dialer1 – radius Jun 23 '10 at 06:02
  • @radius: Ya, when I look at the NAT order or operations for Cisco it states that routing happens before inside-outside nat translation so I am less convinced that the destination IP is needed in the ACL like I said... – Kyle Brandt Jun 23 '10 at 11:09
  • @wuckachucka Could you also give us your IOS version ? Could you tell us on which interface did you setup ip nat inside and ip nat outside ? @Kyle Brandt Yep, NAT is performed on outside, I have a very similar configuration working for me – radius Jun 23 '10 at 11:28
  • @radius: it feels like there's a NAT configuration missing for the fe0/1 interface (the static WAN interface) -- because I'm not specifying any NAT config for it, how would the router "know" what IP to overload as in the NAT table when a private IP wants to route out through that fe0/1 (200.200.200.2) interface? – WuckaChucka Jun 23 '10 at 12:31
  • i.e. normally you'd add a pool with the WAN IP listed in it and pair it up with an access-list. – WuckaChucka Jun 23 '10 at 12:32
  • @Kyle: IOS 12.4. – WuckaChucka Jun 23 '10 at 12:34
  • You don't need nat config on fa0/1 as you don't want NAT on this interface right ? you need ip nat inside on the lan interface and on ip nat outside on the Dialer1 interface – radius Jun 23 '10 at 14:25
  • I do need NAT overload on that interface -- I have certain applications on the LAN that need to route out the fe0/1 interface (hence the permanent static routes defined in the router). It's not so much a source match -- I don't care where you're coming from -- but a destination route, which is why I chose static routes over policy routing. – WuckaChucka Jun 23 '10 at 14:36

2 Answers2

1

I think the answer lies with route-map as quoted here from the following Cisco support Website: https://supportforums.cisco.com/docs/DOC-3987

Dynamic NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same local or global address needs to be translated to more than one global or local address. This type of configuration creates an extended translation entry in the NAT table. It is useful specifically when a network is multi-homed to different provider or partner networks, and the same inside local address has to be translated to different inside global addresses available in multiple configured pools.

EDIT: Tested with route-map, works.

WuckaChucka
  • 375
  • 3
  • 8
  • 23
0

Hard to say without seeing more of the config, but if you are only routing based on the destination IP address and don't want to route based on the source address I don't believe you need route maps but that is what I have used in the past.

I think the problem from what you provided is maybe that your nat access lists specify only the source address so it doesn't know which pool to apply it to. Instead you want the traffic to match specific pools based on both the destination and source addresses. So for example maybe something like:

access-list nat-dest-1 permit 192.168.0.0 0.0.0.255 12.12.12.0 0.0.0.255
access-list nat-dest-2 permit 192.168.0.0 0.0.0.255 13.13.13.0 0.0.0.255

I think you might find this cisco document helpful, it includes both route-map and traditional acl approaches.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448