Sunday, August 17, 2008

NAT - Redundancy with route-maps

Here is the topology:

R1 has a loopback 100.0.0.1
R4 has a connection R2 via interface f0/0
R4 has a connection R3 via interface f2/0

R5 uses R4 as its default gateway, R1 has no route back to this network, but R1 does have a route to R4. So R4 is where we NAT.

We want R5 to have reachability to R1 when either of the R4 uplinks are down. Here's how. First create an ACL to match the R5 network:

ip access-list standard VLAN45
permit 172.12.45.0 0.0.0.255


Next create 2 route-maps that match the interface that will be used for routing the packet outbound and the ACL:

route-map FE0 permit 10
match ip address VLAN45
match interface FastEthernet0/0

route-map FE2 permit 10
match ip address VLAN45
match interface FastEthernet2/0


Next we create our nat statements:

ip nat inside source route-map FE0 interface FastEthernet0/0 overload
ip nat inside source route-map FE2 interface FastEthernet2/0 overload


Remember to enable nat inside/outside on the proper interface of R4.

Let's try it from R5:

R5#telnet 100.0.0.1
Trying 100.0.0.1 ... Open


User Access Verification

Password:
R1>


Let's check translations on R4. Notice the current address being used for NAT is 172.12.24.4 which is R4's interface towards R2. This is the best route in the route table towards R1.

R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.24.4:64118 172.12.45.5:64118 100.0.0.1:23 100.0.0.1:23
R4#


Now let's shut the interface to R2 on R4:

R4(config)#int f0/0
R4(config-if)#shut
R4(config-if)#^Z
R4#show ip nat translations

R4#


Telnet again from R5:

R5#telnet 100.0.0.1
Trying 100.0.0.1 ... Open


User Access Verification

Password:


Check translations on R4. Now we are using R4's interface towards R3 for routing and address translation. This is the backup route for R4 towards R1.

R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.34.4:13668 172.12.45.5:13668 100.0.0.1:23 100.0.0.1:23
R4#

The key thing to remember with this configuration is that the route-map used in this example is used as the "source" in the NAT statement. As opposed to matching just an address list or a static IP we are matching an address list and the interface out of which the packet will be routed.

Without the "match interface" in the route-map, the router does not perform translation when using the backup interface. I think this is because if you did not have the "match interface", then whatever NAT statement appears first in your running-config would be used. In this case I have the following order of statements:

ip nat inside source route-map FE0 interface FastEthernet0/0 overload
ip nat inside source route-map FE2 interface FastEthernet2/0 overload


If I did not have a "match interface" in my route-maps, than when f0/0 went down, the router would still try to use the first rule for translation! It wouldn't care what interface was used for routing, it would just use the first route-map that matched all conditions, in this case the only condition would be the source address.

2 comments:

  1. thanks guys its working Ok tested...

    ReplyDelete
  2. Any thoughts as to how I can make this work when the LAN interface is in a VRF, I want to punch out and use a dialer interface for my primary route, and a serial for my secondary. Problem is, the default route for the global table is the serial. The NAT works great if I only have the dialer setup as the outside interface, when I build a second NAT statement the traffic always wants to try and use the serial, even though the default route for the vrf is dialer 1 x.x.x.x global. In my case I just used 2 different ACLs with the same permit statement, route-map seems cleaner, but for now I would think I should get the same result.

    ip route vrf test1 0.0.0.0 0.0.0.0 Dialer1 64.190.0.1 global track 3
    ip route vrf test1 0.0.0.0 0.0.0.0 Serial1/0 10.1.1.1 global 100

    ip nat inside source list 175 interface Serial1/0 vrf test1 overload
    ip nat inside source list 185 interface Dialer1 vrf test1 overload

    ReplyDelete

Note: Only a member of this blog may post a comment.