Here is the NAT order of operations in a Cisco router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1
I just put something together in the lab, not sure if this is what you want to accomplish, but it works like this: interface FastEthernet0/0 INSIDE INTERFACE ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PBR speed 100 full-duplex ! interface FastEthernet0/1 OUTSIDE 1 (your ethernet) ip address 172.18.1.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet1/0 OUTSIDE 2 (your Dialer3) ip address 10.10.10.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex This is just to simulate Internet access on both routers. Behind Fa0/1 is a router with a loopback that has 1.1.1.1/24, the same goes for Fa1/0. ip route 0.0.0.0 0.0.0.0 172.18.1.2 ip route 0.0.0.0 0.0.0.0 10.10.10.2 ! standard PAT config. ACL 100 denys ICMP. Which means that SNMP will never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS deny. ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source list 101 interface FastEthernet1/0 overload ! access-list 100 deny icmp any any access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.1.0 0.0.0.255 any Then we do PBR, basically when the protocol is ICMP. Send it out of the Fa1/0 interface (Dialer3, again this should be web traffic for you) access-list 150 permit icmp any any ! ! route-map PBR permit 10 match ip address 150 set interface FastEthernet1/0 So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to Fa1/0, and it gets NAT:ed isp2> *Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will just NAT it to Fa0/1. client#telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Password: isp1> Again, I'm not sure this will suit your environment. but perhaps you can get something from it .. Regards Roger On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis <ray-li...@carpe.net> wrote: > Hi y'all, > > Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. > Both need to do NAT (private IPs inside). One is the default route, the > other should be used for web traffic. After trying various configs, I got > rerouting web traffic out the 2nd interface working, but it's not NATed > properly (going out with the default interface IP. I can also get multiple > NAT working, but not with the reroute web traffic route-map (only with static > routes). > > Has anyone done this? Is it even possible with IOS or am I missing something > here? It seems like the "which interface am I NATing" part occurs before the > "which interface do I need to send this packet through" part. > > Below are the "relevant" parts of this config first, then the whole config > (in case something else is mucking me up). There is also some VPN & VoIP > Appliance priority stuff. Any clues would be much appreciated! > > TIA, > Ray > > ---------------------------------------------------------------------- > > interface FastEthernet0/0 > description Internal LAN > ip address 192.168.8.254 255.255.255.0 > ip nat inside > ip policy route-map RerouteWebTraffic > > interface FastEthernet0/1 > description Upstream SDSL (123.123.123.104 /29) > ip address 123.123.123.108 255.255.255.248 > ip nbar protocol-discovery > ip nat outside > crypto map CustVPNs > service-policy output StarfacePolicy > > interface Dialer3 > description Upstream VDSL (dynamic ip) > ip nat outside > > ip route 0.0.0.0 0.0.0.0 123.123.123.105 > ip route 10.0.0.1 255.255.255.255 Dialer3 > > ip nat inside source route-map sdsl interface FastEthernet0/1 overload > ip nat inside source route-map vdsl interface Dialer3 overload > > access-list 110 remark ***** ACL route-map RerouteWebTraffic ***** > access-list 110 permit tcp any any eq www > access-list 110 permit tcp any any eq 443 > > route-map sdsl permit 10 > match ip address NAT_Exempt > ! > route-map sdsl permit 20 > match interface FastEthernet0/1 > ! > route-map vdsl permit 10 > match interface Dialer3 > ! > route-map RerouteWebTraffic permit 10 > match ip address 110 > set ip default next-hop 10.0.0.1 > > ---------------------------------------------------------------------- > > I also tried this instead of the next-hop route-map above, but no-workie: > > route-map RerouteWebTraffic permit 10 > match ip address 110 > set interface Dialer3 > > ===== Whole Config =================================================== > > ! > ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray > ! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray > ! > version 12.4 > service nagle > no service pad > service tcp-keepalives-in > service tcp-keepalives-out > service timestamps debug datetime msec localtime show-timezone > service timestamps log datetime msec localtime show-timezone > service password-encryption > ! > hostname cust-wi-r0 > ! > boot-start-marker > boot-end-marker > ! > logging buffered 51200 > logging console critical > enable secret 5 blablabla > ! > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication login xauth_list local > aaa authentication ppp default local > aaa authorization exec default local > ! > ! > aaa session-id common > clock timezone CET 1 > clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00 > dot11 syslog > no ip source-route > ip cef > ! > ! > no ip dhcp use vrf connected > ip dhcp excluded-address 192.168.8.0 192.168.8.9 > ip dhcp excluded-address 192.168.8.200 192.168.8.254 > ! > ip dhcp pool cust-wi-internal > network 192.168.8.0 255.255.255.0 > default-router 192.168.8.254 > dns-server 192.168.8.1 > ! > ip dhcp pool ORACLE > host 192.168.8.25 255.255.255.0 > hardware-address 0019.991b.fb4a > client-name ORACLE > ! > ip dhcp pool DSS > host 192.168.8.66 255.255.255.0 > hardware-address 0016.7674.6195 > client-name DSS > ! > ip dhcp pool LEXMARK > host 192.168.8.99 255.255.255.0 > hardware-address 00c0.026a.03bd > client-name LEXMARK > ! > ip dhcp pool NPI29E03B > host 192.168.8.22 255.255.255.0 > hardware-address 001f.2929.e03b > client-name NPI29E03B > ! > ip dhcp pool HP_LaserJet_Flur > host 192.168.8.16 255.255.255.0 > hardware-address 001f.2928.79da > client-name HP_LaserJet_Flur > ! > ! > ip inspect max-incomplete high 1100 > ip inspect max-incomplete low 900 > ip inspect one-minute high 1100 > ip inspect one-minute low 900 > ip inspect name Internal_FE00 tcp > ip inspect name Internal_FE00 udp > ip inspect name Internal_FE00 cuseeme > ip inspect name Internal_FE00 ftp > ip inspect name Internal_FE00 h323 > ip inspect name Internal_FE00 rcmd > ip inspect name Internal_FE00 realaudio > ip inspect name Internal_FE00 streamworks > ip inspect name Internal_FE00 vdolive > ip inspect name Internal_FE00 tftp > ip inspect name Internal_FE00 ntp > ip inspect name Internal_FE00 sip > ip inspect name Internal_FE00 sip-tls > ip inspect name External_FE01 smtp > ip inspect name External_FE01 tcp > ip inspect name External_FE01 udp > no ip bootp server > ip domain name blablabla.net > ip name-server 101.102.103.138 > ip name-server 103.102.101.153 > ! > multilink bundle-name authenticated > vpdn enable > ! > ! > ! > crypto pki trustpoint TP-self-signed-545859614 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-545859614 > revocation-check none > rsakeypair TP-self-signed-545859614 > ! > ! > crypto pki certificate chain TP-self-signed-545859614 > certificate self-signed 01 > 30820253 308201BC 6E65642D 43657274 (...junk...) > quit > ! > ! > username foo password 7 blablabla > archive > log config > hidekeys > ! > ! > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp key blablabla address 1.2.3.4 no-xauth > crypto isakmp key blablabla address 5.6.7.8 no-xauth > ! > ! > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > ! > crypto map CustVPNs 10 ipsec-isakmp > description VPN RemoteOffice1 (1.2.3.4) > set peer 1.2.3.4 > set transform-set ESP-3DES-SHA > match address VPN_RemoteOffice1 > crypto map CustVPNs 20 ipsec-isakmp > description VPN RemoteOffice2 (5.6.7.8) > set peer 5.6.7.8 > set transform-set ESP-3DES-SHA > match address VPN_RemoteOffice2 > ! > ! > ! > ip tcp synwait-time 10 > ip ssh time-out 60 > ip ssh authentication-retries 2 > ! > class-map match-any StarfaceTraffic > match access-group name Starface > ! > ! > policy-map StarfacePolicy > class StarfaceTraffic > priority percent 70 > class class-default > fair-queue > ! > ! > ! > ! > interface FastEthernet0/0 > description Internal LAN > ip address 192.168.8.254 255.255.255.0 > no ip redirects > no ip proxy-arp > ip inspect Internal_FE00 in > ip nat inside > ip virtual-reassembly > ip policy route-map RerouteWebTraffic > no ip mroute-cache > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet0/1 > description Upstream SDSL (123.123.123.104 /29) > bandwidth 5836 > ip address 123.123.123.108 255.255.255.248 > no ip redirects > no ip proxy-arp > ip nbar protocol-discovery > ip inspect External_FE01 in > ip nat outside > ip virtual-reassembly > no ip mroute-cache > duplex auto > speed auto > no cdp enable > crypto map CustVPNs > service-policy output StarfacePolicy > ! > interface FastEthernet0/3/0 > ! > interface FastEthernet0/3/1 > ! > interface FastEthernet0/3/2 > switchport access vlan 3 > ! > interface FastEthernet0/3/3 > switchport access vlan 2 > ! > interface Vlan1 > no ip address > ! > interface Vlan2 > no ip address > no ip proxy-arp > ip tcp adjust-mss 1452 > no ip mroute-cache > pppoe enable group global > pppoe-client dial-pool-number 2 > ! > interface Vlan3 > no ip address > no ip proxy-arp > ip tcp adjust-mss 1452 > no ip mroute-cache > pppoe enable group global > pppoe-client dial-pool-number 3 > ! > interface Dialer2 > description Pay no attention the man behind the curtain! (currently unused) > mtu 1456 > ip address negotiated > ip nat outside > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 2 > dialer idle-timeout 30 > dialer hold-queue 100 > dialer-group 2 > no keepalive > no cdp enable > ppp authentication pap callin > ppp chap refuse > ppp pap sent-username kakamole-static password 7 blablabla > ! > interface Dialer3 > description Upstream VDSL (dynamic ip) > mtu 1456 > ip address negotiated > ip nat outside > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 3 > dialer hold-queue 100 > dialer-group 3 > no keepalive > no cdp enable > ppp authentication pap callin > ppp chap refuse > ppp pap sent-username foobarmumble password 7 blablabla > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 123.123.123.105 > ip route 10.0.0.1 255.255.255.255 Dialer3 > ! > ip http server > ip http access-class 23 > ip http authentication local > ip http secure-server > ip http timeout-policy idle 60 life 86400 requests 10000 > ip nat inside source route-map sdsl interface FastEthernet0/1 overload > ip nat inside source route-map vdsl interface Dialer3 overload > ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 extendable > ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 > extendable > ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 > extendable > ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 > extendable > ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 > extendable > ! > ip access-list extended NAT_Exempt > deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 > deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 > permit ip 192.168.8.0 0.0.0.255 any > ip access-list extended Starface > permit ip any host 192.168.68.200 > permit ip host 192.168.68.200 any > ip access-list extended VPN_RemoteOffice2 > permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 > ip access-list extended VPN_RemoteOffice1 > permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 > ! > access-list 23 permit 192.168.8.0 0.0.0.255 > access-list 23 permit 212.96.136.32 0.0.0.31 > access-list 101 remark ***** ACL on Inbound Interface ***** > access-list 101 remark *** allow ssh/telnet to this router (but see acl 170) > access-list 101 permit tcp any host 123.123.123.108 eq 22 > access-list 101 permit tcp any host 123.123.123.108 eq telnet > access-list 101 remark *** allow icmp > access-list 101 permit icmp any any > access-list 101 remark *** allow to 192.168.68.1 > access-list 101 permit tcp any host 123.123.123.108 eq 143 > access-list 101 permit tcp any host 123.123.123.108 eq 1723 > access-list 101 permit gre any host 123.123.123.108 > access-list 101 remark *** allow to 192.168.68.200 > access-list 101 permit tcp any host 123.123.123.108 eq 5222 > access-list 101 deny ip any any > access-list 110 remark ***** ACL route-map RerouteWebTraffic ***** > access-list 110 permit tcp any any eq www > access-list 110 permit tcp any any eq 443 > access-list 170 remark ***** allowed telnet access > access-list 170 permit ip 192.168.6.0 0.0.0.255 any > access-list 170 deny ip any any log > dialer-list 2 protocol ip permit > dialer-list 3 protocol ip permit > no cdp run > ! > ! > route-map sdsl permit 10 > match ip address NAT_Exempt > ! > route-map sdsl permit 20 > match interface FastEthernet0/1 > ! > route-map vdsl permit 10 > match interface Dialer3 > ! > route-map RerouteWebTraffic permit 10 > match ip address 110 > set ip default next-hop 10.0.0.1 > ! > route-map nonat permit 10 > match ip address NAT_Exempt > ! > ! > ! > control-plane > ! > line con 0 > exec-timeout 0 0 > password 7 blablabla > transport output all > escape-character 27 > line aux 0 > exec-timeout 0 0 > password 7 blablabla > transport output all > escape-character 27 > line vty 0 4 > access-class 170 in > exec-timeout 60 0 > privilege level 15 > password 7 blablabla > transport input telnet ssh > transport output all > escape-character 27 > line vty 5 15 > access-class 170 in > privilege level 15 > password 7 blablabla > transport input telnet ssh > transport output all > escape-character 27 > ! > scheduler allocate 20000 1000 > end > ---------------------------------------------------------------------- > > > > _______________________________________________ > cisco-nsp mailing list cisco-...@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/