Shawn's Blog

Expanded memory

About the author

Author Name is someone.
E-mail me Send mail

Recent posts

Recent comments

Archive

Authors

Tags

    Categories


    Blogroll

      Download OPML file OPML

      Disclaimer

      The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

      © Copyright 2009

      Dual ISPs (Part 2)

      I had originally intended to cover the dual inbound NAT and OER in the same part. I have changed this because I wanted to spend a little more time on the NAT part.

      I have read a lot on EE and other places that this is not an easy task. I would like to prove otherwise. the most important part of this is the assigning of a secondary IP address on the server that you want to set up the NAT translation to. Before anyone gets bent out of shape about multiple IP addresses on the servers, these are going to be on the same subnet(preferably in order as well), so the common issues with Exchange and DCs  with multiple IPs will not arise. We have been using this configuration in production for quite a while with good results. Sites with static IP addresses fare better for obvious reasons. Lets now refer to this drawing;

                                 Dual NAT                            

       For this example we will be making a static NAT for RDP connections (TCP 3389) and working off of the configuration used in part 1

      As a refresher

      Current configuration : 3595 bytes
      !
      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname Router
      !
      boot-start-marker
      boot-end-marker
      !
      enable password shawn
      !
      no aaa new-model
      memory-size iomem 5
      ip cef
      !
      ip inspect name SDM_LOW cuseeme
      ip inspect name SDM_LOW dns
      ip inspect name SDM_LOW ftp
      ip inspect name SDM_LOW h323
      ip inspect name SDM_LOW https
      ip inspect name SDM_LOW icmp
      ip inspect name SDM_LOW imap
      ip inspect name SDM_LOW pop3
      ip inspect name SDM_LOW netshow
      ip inspect name SDM_LOW rcmd
      ip inspect name SDM_LOW realaudio
      ip inspect name SDM_LOW rtsp
      ip inspect name SDM_LOW esmtp
      ip inspect name SDM_LOW sqlnet
      ip inspect name SDM_LOW streamworks
      ip inspect name SDM_LOW tftp
      ip inspect name SDM_LOW tcp
      ip inspect name SDM_LOW udp
      ip inspect name SDM_LOW vdolive
      ip sla monitor 1
       type echo protocol ipIcmpEcho 4.2.2.2
       timeout 500
       frequency 3
      ip sla monitor schedule 1 life forever start-time now
      !
      username shawn privilege 15 password 0 shawn
      !
      track 1 rtr 1 reachability
      !
      interface FastEthernet0/0
       description $FW_INSIDE$
       ip address 192.168.99.1 255.255.255.0
       ip access-group 100 in
       ip nat inside
       ip virtual-reassembly
       duplex auto
       speed auto
      !
      interface FastEthernet0/1
       description $FW_OUTSIDE$
       ip address 1.1.1.1 255.255.255.0
       ip access-group 101 in
       ip verify unicast reverse-path
       ip nat outside
       ip inspect SDM_LOW out
       ip virtual-reassembly
       duplex auto
       speed auto
      !
      interface FastEthernet1/0
       description ISP 2$ETH-WAN$
       ip address 2.2.2.1 255.255.255.0
       ip access-group 102 in
       ip verify unicast reverse-path
       ip nat outside
       ip inspect SDM_LOW out
       ip virtual-reassembly
       duplex auto
       speed auto
      !
      ip forward-protocol nd
      ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
      ip route 0.0.0.0 0.0.0.0 2.2.2.254 10
      ip route 192.168.32.0 255.255.255.0 192.168.99.254
      !
      !
      ip http server
      ip http authentication local
      no ip http secure-server
      ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
      !
      access-list 1 remark SDM_ACL Category=2
      access-list 1 permit 192.168.99.0 0.0.0.255
      access-list 100 remark au00525a
      access-list 100 remark auto generated by SDM firewall configuration
      access-list 100 remark SDM_ACL Category=1
      access-list 100 deny   ip 1.1.1.0 0.0.0.255 any
      access-list 100 deny   ip host 255.255.255.255 any
      access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
      access-list 100 permit ip any any
      access-list 101 remark auto generated by SDM firewall configuration
      access-list 101 remark SDM_ACL Category=1
      access-list 101 deny   ip 192.168.99.0 0.0.0.255 any
      access-list 101 permit icmp any host 1.1.1.1 echo-reply
      access-list 101 permit icmp any host 1.1.1.1 time-exceeded
      access-list 101 permit icmp any host 1.1.1.1 unreachable
      access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
      access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
      access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
      access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
      access-list 101 deny   ip host 255.255.255.255 any
      access-list 101 deny   ip host 0.0.0.0 any
      access-list 101 deny   ip any any log
      access-list 102 permit icmp any host 2.2.2.1 echo-reply
      access-list 102 permit icmp any host 2.2.2.1 time-exceeded
      access-list 102 permit icmp any host 2.2.2.1 unreachable
      access-list 102 deny   ip any any log
      !
      route-map ISP2 permit 10
       match ip address 1
       match interface FastEthernet1/0
      !
      route-map ISP1 permit 10
       match ip address 1
       match interface FastEthernet0/1
      !
      control-plane
      !
      line con 0
      line aux 0
      line vty 0 4
       login local
      !
      end

      Now to get started

      1. The first thing we need to do is create access-lists to identify traffic (we will be using them in route-maps shortly)

         ip access-list extended ISP1

              remark This access list is used to identify traffic that should go to ISP 1

              permit ip host 192.168.99.2 any

         ip access-list extended ISP2

              remark This access list is used to identify traffic that should go to ISP 2

              permit ip host 192.168.99.3 any

      2. Now for the route-maps I normally name it director simply because that is what it does, direct traffic. We are going to put it on FA0/0 (our inside interface)

         route-map director permit 9

             match ip address ISP1

             set ip next-hop 1.1.1.254

         route-map director permit 10

             match ip address ISP2

             set ip next-hop 2.2.2.254

        interface FastEthernet 0/0

            ip policy route-map director 

      3. The NAT statements are built to match the route-map .2 to 0/1 and .3 to 1/0

          ip nat inside source static tcp 192.168.99.2 3389 interface FastEthernet0/1 3389

          ip nat inside source static tcp 192.168.99.3 3389 interface FastEthernet1/0 3389

      4. Finally the access-list entries

          access-list 101 permit tcp any host 1.1.1.1 eq 3389

          access-list 102 permit tcp any host 2.2.2.1 eq 3389

      5. Thats it!. The servers respond with the ip address the received the request on so when it makes it to the router it forwards it to the next hop ignoring the routing table. The director route-map can be adjusted if there are P-t-P WAN or VPN connections that need access to the servers. Another thing to note is that all requests coming from the server initially are made using the first IP address. This will come into play when we get to part 3 OER. Anyway here is the config.

      Building configuration...

      Current configuration : 3985 bytes
      !
      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname Router
      !
      boot-start-marker
      boot-end-marker
      !
      enable password shawn
      !
      no aaa new-model
      memory-size iomem 5
      ip cef
      !
      !
      !
      !
      ip inspect name SDM_LOW cuseeme
      ip inspect name SDM_LOW dns
      ip inspect name SDM_LOW ftp
      ip inspect name SDM_LOW h323
      ip inspect name SDM_LOW https
      ip inspect name SDM_LOW icmp
      ip inspect name SDM_LOW imap
      ip inspect name SDM_LOW pop3
      ip inspect name SDM_LOW netshow
      ip inspect name SDM_LOW rcmd
      ip inspect name SDM_LOW realaudio
      ip inspect name SDM_LOW rtsp
      ip inspect name SDM_LOW esmtp
      ip inspect name SDM_LOW sqlnet
      ip inspect name SDM_LOW streamworks
      ip inspect name SDM_LOW tftp
      ip inspect name SDM_LOW tcp
      ip inspect name SDM_LOW udp
      ip inspect name SDM_LOW vdolive
      ip sla monitor 1
       type echo protocol ipIcmpEcho 4.2.2.2
       timeout 500
       frequency 3
      ip sla monitor schedule 1 life forever start-time now
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      username shawn privilege 15 password 0 shawn
      !
      !
      !
      track 1 rtr 1 reachability
      !
      !
      !
      !
      !
      interface FastEthernet0/0
       description $FW_INSIDE$
       ip address 192.168.99.1 255.255.255.0
       ip access-group 100 in
       ip nat inside
       ip virtual-reassembly
       ip policy route-map director
       duplex auto
       speed auto
      !
      interface FastEthernet0/1
       description $FW_OUTSIDE$
       ip address 1.1.1.1 255.255.255.0
       ip access-group 101 in
       ip verify unicast reverse-path
       ip nat outside
       ip inspect SDM_LOW out
       ip virtual-reassembly
       duplex auto
       speed auto
      !
      interface FastEthernet1/0
       description ISP 2$ETH-WAN$
       ip address 2.2.2.1 255.255.255.0
       ip access-group 102 in
       ip verify unicast reverse-path
       ip nat outside
       ip inspect SDM_LOW out
       ip virtual-reassembly
       duplex auto
       speed auto
      !
      ip forward-protocol nd
      ip route 0.0.0.0 0.0.0.0 1.1.1.254 track 1
      ip route 0.0.0.0 0.0.0.0 2.2.2.254 10
      ip route 192.168.32.0 255.255.255.0 192.168.99.254
      !
      !
      ip http server
      ip http authentication local
      no ip http secure-server
      ip nat inside source static tcp 192.168.99.2 3389 interface FastEthernet0/1 3389
      ip nat inside source static tcp 192.168.99.3 3389 interface FastEthernet1/0 3389
      ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
      !
      ip access-list extended ISP1
       remark This access list is used to identify traffic that should go to ISP 1
       permit ip host 192.168.99.2 any
      ip access-list extended ISP2
       remark This access list is used to identify traffic that should go to ISP 2
       permit ip host 192.168.99.3 any
      !
      access-list 1 remark SDM_ACL Category=2
      access-list 1 permit 192.168.99.0 0.0.0.255
      access-list 100 remark au00525a
      access-list 100 remark auto generated by SDM firewall configuration
      access-list 100 remark SDM_ACL Category=1
      access-list 100 deny   ip 1.1.1.0 0.0.0.255 any
      access-list 100 deny   ip host 255.255.255.255 any
      access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
      access-list 100 permit ip any any
      access-list 101 remark auto generated by SDM firewall configuration
      access-list 101 remark SDM_ACL Category=1
      access-list 101 deny   ip 192.168.99.0 0.0.0.255 any
      access-list 101 permit icmp any host 1.1.1.1 echo-reply
      access-list 101 permit icmp any host 1.1.1.1 time-exceeded
      access-list 101 permit icmp any host 1.1.1.1 unreachable
      access-list 101 permit tcp any host 1.1.1.1 eq 3389
      access-list 102 permit icmp any host 2.2.2.1 echo-reply
      access-list 102 permit icmp any host 2.2.2.1 time-exceeded
      access-list 102 permit icmp any host 2.2.2.1 unreachable
      access-list 102 deny   ip any any log
      access-list 102 permit tcp any host 2.2.2.1 eq 3389
      !
      route-map director permit 9
       match ip address ISP1
       set ip next-hop 1.1.1.254
      !
      route-map director permit 10
       match ip address ISP2
       set ip next-hop 2.2.2.254
      !
      route-map ISP2 permit 10
       match ip address 1
       match interface FastEthernet1/0
      !
      route-map ISP1 permit 10
       match ip address 1
       match interface FastEthernet0/1
      !
      !
      !
      !
      control-plane
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      line con 0
      line aux 0
      line vty 0 4
       login local
      !
      !
      end

      Currently rated 5.0 by 4 people

      • Currently 5/5 Stars.
      • 1
      • 2
      • 3
      • 4
      • 5

      Categories: Cisco
      Posted by shawn on Friday, November 23, 2007 5:49 PM
      E-mail | Kick it! | DZone it! | del.icio.us
      Permalink | Comments (2) | Post RSSRSS comment feed

      Related posts

      Comments

      Rocco

      Friday, January 18, 2008 5:51 PM

      Hi Shawn,

      this post might have made my day, since this has been something which I have been looking for for the past couple of month. How to do load balancing (load sharing) with two default routes and then do inbound NAT on both outside interfaces. I will test it during the weekend.

      But is there no option to have inbound NAT without assigning a second IP to internal servers?

      I know Draytek Vigor routers can work in this configuration without a problem

      shawn

      Friday, January 18, 2008 7:46 PM

      It is possible to do it using static NAT with route-maps. It was outside the scope of this example.

      Add comment


       





      Live preview

      Wednesday, January 07, 2009 5:22 AM

      free hit counter