Thanks for your test config! The main thing I see different here is that you have two default routes. In my case, the default needs to be the sdsl interface and only http/https should go out the vdsl interface.
I get the routing to work, but NAT doesn't work going out the vdsl interface. (Also see my next email in this thread.) Cheers, Ray On 31. Aug 2010, at 15:59 Uhr, Roger Wiklund wrote: > Here is the NAT order of operations in a Cisco router: > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1 > > I just put something together in the lab, not sure if this is what you > want to accomplish, but it works like this: > > interface FastEthernet0/0 > INSIDE INTERFACE > ip address 192.168.1.1 255.255.255.0 > ip nat inside > ip virtual-reassembly > ip policy route-map PBR > speed 100 > full-duplex > ! > interface FastEthernet0/1 > OUTSIDE 1 (your ethernet) > ip address 172.18.1.1 255.255.255.0 > ip nat outside > ip virtual-reassembly > speed 100 > full-duplex > ! > interface FastEthernet1/0 > OUTSIDE 2 (your Dialer3) > ip address 10.10.10.1 255.255.255.0 > ip nat outside > ip virtual-reassembly > speed 100 > full-duplex > > This is just to simulate Internet access on both routers. Behind Fa0/1 > is a router with a loopback that has 1.1.1.1/24, the same goes for > Fa1/0. > > ip route 0.0.0.0 0.0.0.0 172.18.1.2 > ip route 0.0.0.0 0.0.0.0 10.10.10.2 > ! > standard PAT config. ACL 100 denys ICMP. Which means that SNMP will > never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS > deny. > > ip nat inside source list 100 interface FastEthernet0/1 overload > ip nat inside source list 101 interface FastEthernet1/0 overload > ! > access-list 100 deny icmp any any > access-list 100 permit ip 192.168.1.0 0.0.0.255 any > > access-list 101 permit ip 192.168.1.0 0.0.0.255 any > > Then we do PBR, basically when the protocol is ICMP. Send it out of > the Fa1/0 interface (Dialer3, again this should be web traffic for > you) > access-list 150 permit icmp any any > ! > ! > route-map PBR permit 10 > match ip address 150 > set interface FastEthernet1/0 > > So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to > Fa1/0, and it gets NAT:ed > isp2> > *Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 > *Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 > *Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 > *Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 > *Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 > > And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will > just NAT it to Fa0/1. > > client#telnet 1.1.1.1 > Trying 1.1.1.1 ... Open > > > User Access Verification > > Password: > isp1> > > Again, I'm not sure this will suit your environment. but perhaps you > can get something from it .. > > Regards > Roger > > > > On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis <ray-li...@carpe.net> wrote: >> Hi y'all, >> >> Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. >> Both need to do NAT (private IPs inside). One is the default route, the >> other should be used for web traffic. After trying various configs, I got >> rerouting web traffic out the 2nd interface working, but it's not NATed >> properly (going out with the default interface IP. I can also get multiple >> NAT working, but not with the reroute web traffic route-map (only with >> static routes). >> >> Has anyone done this? Is it even possible with IOS or am I missing >> something here? It seems like the "which interface am I NATing" part occurs >> before the "which interface do I need to send this packet through" part. >> >> Below are the "relevant" parts of this config first, then the whole config >> (in case something else is mucking me up). There is also some VPN & VoIP >> Appliance priority stuff. Any clues would be much appreciated! >> >> TIA, >> Ray >> >> ---------------------------------------------------------------------- >> >> interface FastEthernet0/0 >> description Internal LAN >> ip address 192.168.8.254 255.255.255.0 >> ip nat inside >> ip policy route-map RerouteWebTraffic >> >> interface FastEthernet0/1 >> description Upstream SDSL (123.123.123.104 /29) >> ip address 123.123.123.108 255.255.255.248 >> ip nbar protocol-discovery >> ip nat outside >> crypto map CustVPNs >> service-policy output StarfacePolicy >> >> interface Dialer3 >> description Upstream VDSL (dynamic ip) >> ip nat outside >> >> ip route 0.0.0.0 0.0.0.0 123.123.123.105 >> ip route 10.0.0.1 255.255.255.255 Dialer3 >> >> ip nat inside source route-map sdsl interface FastEthernet0/1 overload >> ip nat inside source route-map vdsl interface Dialer3 overload >> >> access-list 110 remark ***** ACL route-map RerouteWebTraffic ***** >> access-list 110 permit tcp any any eq www >> access-list 110 permit tcp any any eq 443 >> >> route-map sdsl permit 10 >> match ip address NAT_Exempt >> ! >> route-map sdsl permit 20 >> match interface FastEthernet0/1 >> ! >> route-map vdsl permit 10 >> match interface Dialer3 >> ! >> route-map RerouteWebTraffic permit 10 >> match ip address 110 >> set ip default next-hop 10.0.0.1 >> >> ---------------------------------------------------------------------- >> >> I also tried this instead of the next-hop route-map above, but no-workie: >> >> route-map RerouteWebTraffic permit 10 >> match ip address 110 >> set interface Dialer3 >> >> ===== Whole Config =================================================== >> >> ! >> ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray >> ! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray >> ! >> version 12.4 >> service nagle >> no service pad >> service tcp-keepalives-in >> service tcp-keepalives-out >> service timestamps debug datetime msec localtime show-timezone >> service timestamps log datetime msec localtime show-timezone >> service password-encryption >> ! >> hostname cust-wi-r0 >> ! >> boot-start-marker >> boot-end-marker >> ! >> logging buffered 51200 >> logging console critical >> enable secret 5 blablabla >> ! >> aaa new-model >> ! >> ! >> aaa authentication login default local >> aaa authentication login xauth_list local >> aaa authentication ppp default local >> aaa authorization exec default local >> ! >> ! >> aaa session-id common >> clock timezone CET 1 >> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00 >> dot11 syslog >> no ip source-route >> ip cef >> ! >> ! >> no ip dhcp use vrf connected >> ip dhcp excluded-address 192.168.8.0 192.168.8.9 >> ip dhcp excluded-address 192.168.8.200 192.168.8.254 >> ! >> ip dhcp pool cust-wi-internal >> network 192.168.8.0 255.255.255.0 >> default-router 192.168.8.254 >> dns-server 192.168.8.1 >> ! >> ip dhcp pool ORACLE >> host 192.168.8.25 255.255.255.0 >> hardware-address 0019.991b.fb4a >> client-name ORACLE >> ! >> ip dhcp pool DSS >> host 192.168.8.66 255.255.255.0 >> hardware-address 0016.7674.6195 >> client-name DSS >> ! >> ip dhcp pool LEXMARK >> host 192.168.8.99 255.255.255.0 >> hardware-address 00c0.026a.03bd >> client-name LEXMARK >> ! >> ip dhcp pool NPI29E03B >> host 192.168.8.22 255.255.255.0 >> hardware-address 001f.2929.e03b >> client-name NPI29E03B >> ! >> ip dhcp pool HP_LaserJet_Flur >> host 192.168.8.16 255.255.255.0 >> hardware-address 001f.2928.79da >> client-name HP_LaserJet_Flur >> ! >> ! >> ip inspect max-incomplete high 1100 >> ip inspect max-incomplete low 900 >> ip inspect one-minute high 1100 >> ip inspect one-minute low 900 >> ip inspect name Internal_FE00 tcp >> ip inspect name Internal_FE00 udp >> ip inspect name Internal_FE00 cuseeme >> ip inspect name Internal_FE00 ftp >> ip inspect name Internal_FE00 h323 >> ip inspect name Internal_FE00 rcmd >> ip inspect name Internal_FE00 realaudio >> ip inspect name Internal_FE00 streamworks >> ip inspect name Internal_FE00 vdolive >> ip inspect name Internal_FE00 tftp >> ip inspect name Internal_FE00 ntp >> ip inspect name Internal_FE00 sip >> ip inspect name Internal_FE00 sip-tls >> ip inspect name External_FE01 smtp >> ip inspect name External_FE01 tcp >> ip inspect name External_FE01 udp >> no ip bootp server >> ip domain name blablabla.net >> ip name-server 101.102.103.138 >> ip name-server 103.102.101.153 >> ! >> multilink bundle-name authenticated >> vpdn enable >> ! >> ! >> ! >> crypto pki trustpoint TP-self-signed-545859614 >> enrollment selfsigned >> subject-name cn=IOS-Self-Signed-Certificate-545859614 >> revocation-check none >> rsakeypair TP-self-signed-545859614 >> ! >> ! >> crypto pki certificate chain TP-self-signed-545859614 >> certificate self-signed 01 >> 30820253 308201BC 6E65642D 43657274 (...junk...) >> quit >> ! >> ! >> username foo password 7 blablabla >> archive >> log config >> hidekeys >> ! >> ! >> crypto isakmp policy 10 >> encr 3des >> authentication pre-share >> group 2 >> crypto isakmp key blablabla address 1.2.3.4 no-xauth >> crypto isakmp key blablabla address 5.6.7.8 no-xauth >> ! >> ! >> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac >> ! >> crypto map CustVPNs 10 ipsec-isakmp >> description VPN RemoteOffice1 (1.2.3.4) >> set peer 1.2.3.4 >> set transform-set ESP-3DES-SHA >> match address VPN_RemoteOffice1 >> crypto map CustVPNs 20 ipsec-isakmp >> description VPN RemoteOffice2 (5.6.7.8) >> set peer 5.6.7.8 >> set transform-set ESP-3DES-SHA >> match address VPN_RemoteOffice2 >> ! >> ! >> ! >> ip tcp synwait-time 10 >> ip ssh time-out 60 >> ip ssh authentication-retries 2 >> ! >> class-map match-any StarfaceTraffic >> match access-group name Starface >> ! >> ! >> policy-map StarfacePolicy >> class StarfaceTraffic >> priority percent 70 >> class class-default >> fair-queue >> ! >> ! >> ! >> ! >> interface FastEthernet0/0 >> description Internal LAN >> ip address 192.168.8.254 255.255.255.0 >> no ip redirects >> no ip proxy-arp >> ip inspect Internal_FE00 in >> ip nat inside >> ip virtual-reassembly >> ip policy route-map RerouteWebTraffic >> no ip mroute-cache >> duplex auto >> speed auto >> no cdp enable >> ! >> interface FastEthernet0/1 >> description Upstream SDSL (123.123.123.104 /29) >> bandwidth 5836 >> ip address 123.123.123.108 255.255.255.248 >> no ip redirects >> no ip proxy-arp >> ip nbar protocol-discovery >> ip inspect External_FE01 in >> ip nat outside >> ip virtual-reassembly >> no ip mroute-cache >> duplex auto >> speed auto >> no cdp enable >> crypto map CustVPNs >> service-policy output StarfacePolicy >> ! >> interface FastEthernet0/3/0 >> ! >> interface FastEthernet0/3/1 >> ! >> interface FastEthernet0/3/2 >> switchport access vlan 3 >> ! >> interface FastEthernet0/3/3 >> switchport access vlan 2 >> ! >> interface Vlan1 >> no ip address >> ! >> interface Vlan2 >> no ip address >> no ip proxy-arp >> ip tcp adjust-mss 1452 >> no ip mroute-cache >> pppoe enable group global >> pppoe-client dial-pool-number 2 >> ! >> interface Vlan3 >> no ip address >> no ip proxy-arp >> ip tcp adjust-mss 1452 >> no ip mroute-cache >> pppoe enable group global >> pppoe-client dial-pool-number 3 >> ! >> interface Dialer2 >> description Pay no attention the man behind the curtain! (currently unused) >> mtu 1456 >> ip address negotiated >> ip nat outside >> ip virtual-reassembly >> encapsulation ppp >> ip tcp adjust-mss 1452 >> dialer pool 2 >> dialer idle-timeout 30 >> dialer hold-queue 100 >> dialer-group 2 >> no keepalive >> no cdp enable >> ppp authentication pap callin >> ppp chap refuse >> ppp pap sent-username kakamole-static password 7 blablabla >> ! >> interface Dialer3 >> description Upstream VDSL (dynamic ip) >> mtu 1456 >> ip address negotiated >> ip nat outside >> ip virtual-reassembly >> encapsulation ppp >> ip tcp adjust-mss 1452 >> dialer pool 3 >> dialer hold-queue 100 >> dialer-group 3 >> no keepalive >> no cdp enable >> ppp authentication pap callin >> ppp chap refuse >> ppp pap sent-username foobarmumble password 7 blablabla >> ! >> ip forward-protocol nd >> ip route 0.0.0.0 0.0.0.0 123.123.123.105 >> ip route 10.0.0.1 255.255.255.255 Dialer3 >> ! >> ip http server >> ip http access-class 23 >> ip http authentication local >> ip http secure-server >> ip http timeout-policy idle 60 life 86400 requests 10000 >> ip nat inside source route-map sdsl interface FastEthernet0/1 overload >> ip nat inside source route-map vdsl interface Dialer3 overload >> ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 >> extendable >> ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 >> extendable >> ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 >> extendable >> ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 >> extendable >> ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 >> extendable >> ! >> ip access-list extended NAT_Exempt >> deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 >> deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 >> permit ip 192.168.8.0 0.0.0.255 any >> ip access-list extended Starface >> permit ip any host 192.168.68.200 >> permit ip host 192.168.68.200 any >> ip access-list extended VPN_RemoteOffice2 >> permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 >> ip access-list extended VPN_RemoteOffice1 >> permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 >> ! >> access-list 23 permit 192.168.8.0 0.0.0.255 >> access-list 23 permit 212.96.136.32 0.0.0.31 >> access-list 101 remark ***** ACL on Inbound Interface ***** >> access-list 101 remark *** allow ssh/telnet to this router (but see acl 170) >> access-list 101 permit tcp any host 123.123.123.108 eq 22 >> access-list 101 permit tcp any host 123.123.123.108 eq telnet >> access-list 101 remark *** allow icmp >> access-list 101 permit icmp any any >> access-list 101 remark *** allow to 192.168.68.1 >> access-list 101 permit tcp any host 123.123.123.108 eq 143 >> access-list 101 permit tcp any host 123.123.123.108 eq 1723 >> access-list 101 permit gre any host 123.123.123.108 >> access-list 101 remark *** allow to 192.168.68.200 >> access-list 101 permit tcp any host 123.123.123.108 eq 5222 >> access-list 101 deny ip any any >> access-list 110 remark ***** ACL route-map RerouteWebTraffic ***** >> access-list 110 permit tcp any any eq www >> access-list 110 permit tcp any any eq 443 >> access-list 170 remark ***** allowed telnet access >> access-list 170 permit ip 192.168.6.0 0.0.0.255 any >> access-list 170 deny ip any any log >> dialer-list 2 protocol ip permit >> dialer-list 3 protocol ip permit >> no cdp run >> ! >> ! >> route-map sdsl permit 10 >> match ip address NAT_Exempt >> ! >> route-map sdsl permit 20 >> match interface FastEthernet0/1 >> ! >> route-map vdsl permit 10 >> match interface Dialer3 >> ! >> route-map RerouteWebTraffic permit 10 >> match ip address 110 >> set ip default next-hop 10.0.0.1 >> ! >> route-map nonat permit 10 >> match ip address NAT_Exempt >> ! >> ! >> ! >> control-plane >> ! >> line con 0 >> exec-timeout 0 0 >> password 7 blablabla >> transport output all >> escape-character 27 >> line aux 0 >> exec-timeout 0 0 >> password 7 blablabla >> transport output all >> escape-character 27 >> line vty 0 4 >> access-class 170 in >> exec-timeout 60 0 >> privilege level 15 >> password 7 blablabla >> transport input telnet ssh >> transport output all >> escape-character 27 >> line vty 5 15 >> access-class 170 in >> privilege level 15 >> password 7 blablabla >> transport input telnet ssh >> transport output all >> escape-character 27 >> ! >> scheduler allocate 20000 1000 >> end >> ---------------------------------------------------------------------- >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/