Home / server / Questions / 153846
Accepted
WuckaChucka
Asked: 2010-06-23 16:37:24 +0800 CST

Cisco IOS: NAT overload for two WAN interfaces

  • 772

I have a feeling the answer is policy-routing, but I'd like someone to clarify that.

Basically I'm not having any luck getting NAT to work with two WAN interfaces.

I have two WAN interfaces: fe0/1 (static, 200.200.200.2/30, gw 200.200.200.1/30) and fe0/0/0 (Dialer1).

I've setup permanent static routes for various IPs to route out through fe0/1. I believe this is working ok -- I can traceroute from the IOS shell and it's going out fe0/1. I also have NAT working for Dialer1; machines on the LAN can get out without issue. However, machines on the LAN cannot get out on fe0/1 (ping static.routed.ip.address doesn't work).

Here's what I have in my config that's relevant:

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface Dialer1 overload

I've tried adding a pool and associating it with access-list 1; I also created another access-list 15 with the same LAN ip network address, but they all just seem to "replace" the NAT scheme so that my static routes work for fe0/1 (tested from LAN with ping static.routed.ip.address), but stop working for Dialer1 (fe0/0/0).

Policy-routing the only way to go here?

EDIT

I should clarify that yes, I do need to NAT overload out both interfaces: I chose to setup static routes over policy routes because I don't really care what the source IP/mask is, but the destination: any LAN packet that matches the destination address of my static routes needs to go out the fe0/1 WAN interface.

Like I said, this works from the router at all times and does work from the LAN if I run: ip nat inside source list 1 interface FastEthernet0/1 overload but that kills outbound NAT for the Dialer1 (default route) and thus all other outbound traffic.

wide-area-network cisco ios

2 Answers

  1. Best Answer

    I think the answer lies with route-map as quoted here from the following Cisco support Website: https://supportforums.cisco.com/docs/DOC-3987

    Dynamic NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same local or global address needs to be translated to more than one global or local address. This type of configuration creates an extended translation entry in the NAT table. It is useful specifically when a network is multi-homed to different provider or partner networks, and the same inside local address has to be translated to different inside global addresses available in multiple configured pools.

    EDIT: Tested with route-map, works.

    • 1

  2. Hard to say without seeing more of the config, but if you are only routing based on the destination IP address and don't want to route based on the source address I don't believe you need route maps but that is what I have used in the past.

    I think the problem from what you provided is maybe that your nat access lists specify only the source address so it doesn't know which pool to apply it to. Instead you want the traffic to match specific pools based on both the destination and source addresses. So for example maybe something like:

    access-list nat-dest-1 permit 192.168.0.0 0.0.0.255 12.12.12.0 0.0.0.255
access-list nat-dest-2 permit 192.168.0.0 0.0.0.255 13.13.13.0 0.0.0.255

    I think you might find this cisco document helpful, it includes both route-map and traditional acl approaches.

    • 0