Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > NAT to two ISPs on one router

Reply
Thread Tools

NAT to two ISPs on one router

 
 
Vincent C Jones
Guest
Posts: n/a
 
      07-21-2004
Trying to set up a fully redundant ISP connection using low cost DSL. No
problem detecting link down with SAA (ping based routing), but a real
problem getting NAT to bahave.

When the active link goes down, the default route switches
automagically, but it is only useable for new connections until a "clear
ip nat trans *" is executed. I know how to reduce the timeout on
translations, but that is not a generic solution because I cannot
guarantee a time gap between attempts greater than typical (yet alone
worst case) keepalive intervals.

The problem appears to be that once a translation is assigned, the ip
nat source route statements are ignored. That is, the "ip nat source
route" statements are only checked if there is not already a translation
assigned to the address. As a result, the classic trick of assigning the
NAT based on the outbound interface only works for the initial
assignment and unless the translations are manually cleared, will not
switch the NAT to match the remaining interface.

Short of running a daemon on a local PC, is there any way to
automatically force the NAT translations to be reassigned before they
have timed out?

--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
 
 
 
sriggs
Guest
Posts: n/a
 
      07-22-2004
Pay the extra money and get a small block of IP addresses from one of
the ISPs and NAT to that address

http://www.velocityreviews.com/forums/(E-Mail Removed) (Vincent C Jones) wrote in message news:<cdlrkg$7vk$(E-Mail Removed)>...
> Trying to set up a fully redundant ISP connection using low cost DSL. No
> problem detecting link down with SAA (ping based routing), but a real
> problem getting NAT to bahave.
>
> When the active link goes down, the default route switches
> automagically, but it is only useable for new connections until a "clear
> ip nat trans *" is executed. I know how to reduce the timeout on
> translations, but that is not a generic solution because I cannot
> guarantee a time gap between attempts greater than typical (yet alone
> worst case) keepalive intervals.
>
> The problem appears to be that once a translation is assigned, the ip
> nat source route statements are ignored. That is, the "ip nat source
> route" statements are only checked if there is not already a translation
> assigned to the address. As a result, the classic trick of assigning the
> NAT based on the outbound interface only works for the initial
> assignment and unless the translations are manually cleared, will not
> switch the NAT to match the remaining interface.
>
> Short of running a daemon on a local PC, is there any way to
> automatically force the NAT translations to be reassigned before they
> have timed out?

 
Reply With Quote
 
 
 
 
Vincent C Jones
Guest
Posts: n/a
 
      07-22-2004
There are a wide range of solutions if I am willing to change
the parameters. Buying a block of fixed IP addresses is one way to
eliminate the need for a second NAT definition, as is adding a NAT
firewall on one (or both) of the DSL lines. Another workaround is
to add a monitoring box onto the local LAN to track the changes and
clear the NAT translation table. A much cheaper work around is to
forget Cisco and use a Symantec 200R, which does the job without
any kludges or static IPs (but I don't want to start a round of
"Here's what's wrong with the Nexland/Symantec boxen" flames,
suffice it to say you get what you pay for).

Meanwhile, the original question remains unanswered, which is
"Can this common SOHO requirement be met with a single Cisco box?"

Vincent C Jones

In article <(E-Mail Removed) >,
sriggs <(E-Mail Removed)> wrote:
>Pay the extra money and get a small block of IP addresses from one of
>the ISPs and NAT to that address
>
>(E-Mail Removed) (Vincent C Jones) wrote in message news:<cdlrkg$7vk$(E-Mail Removed)>...
>> Trying to set up a fully redundant ISP connection using low cost DSL. No
>> problem detecting link down with SAA (ping based routing), but a real
>> problem getting NAT to bahave.
>>
>> When the active link goes down, the default route switches
>> automagically, but it is only useable for new connections until a "clear
>> ip nat trans *" is executed. I know how to reduce the timeout on
>> translations, but that is not a generic solution because I cannot
>> guarantee a time gap between attempts greater than typical (yet alone
>> worst case) keepalive intervals.
>>
>> The problem appears to be that once a translation is assigned, the ip
>> nat source route statements are ignored. That is, the "ip nat source
>> route" statements are only checked if there is not already a translation
>> assigned to the address. As a result, the classic trick of assigning the
>> NAT based on the outbound interface only works for the initial
>> assignment and unless the translations are manually cleared, will not
>> switch the NAT to match the remaining interface.
>>
>> Short of running a daemon on a local PC, is there any way to
>> automatically force the NAT translations to be reassigned before they
>> have timed out?



--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
Ivan Ostres
Guest
Posts: n/a
 
      07-22-2004
In article <cdogfh$5pp$(E-Mail Removed)>,
(E-Mail Removed) says...
> There are a wide range of solutions if I am willing to change
> the parameters. Buying a block of fixed IP addresses is one way to
> eliminate the need for a second NAT definition, as is adding a NAT
> firewall on one (or both) of the DSL lines. Another workaround is
> to add a monitoring box onto the local LAN to track the changes and
> clear the NAT translation table. A much cheaper work around is to
> forget Cisco and use a Symantec 200R, which does the job without
> any kludges or static IPs (but I don't want to start a round of
> "Here's what's wrong with the Nexland/Symantec boxen" flames,
> suffice it to say you get what you pay for).
>
> Meanwhile, the original question remains unanswered, which is
> "Can this common SOHO requirement be met with a single Cisco box?"
>
> Vincent C Jones
>


AFAIK, the answer is no. I've fixed thing like that using one of
possible solutions that you mentioned above (using a PC that's running a
script that does the job).

Even bigger problem I had was connecting site-to-site VPN when there are
dynamic addresses on both sites (DSL) using dynDNS service. I've even
ask at TAC and they said that they can't answer that . So, I've took
two boxes from Bintec and for now, things look fine.... Seems that Cisco
just sucks for such SOHO jobs.

--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      07-23-2004
> >(E-Mail Removed) (Vincent C Jones) wrote in message news:<cdlrkg$7vk$(E-Mail Removed)>...
> >> Trying to set up a fully redundant ISP connection using low cost DSL. No
> >> problem detecting link down with SAA (ping based routing), but a real
> >> problem getting NAT to bahave.
> >>
> >> When the active link goes down, the default route switches
> >> automagically, but it is only useable for new connections until a "clear
> >> ip nat trans *" is executed. I know how to reduce the timeout on
> >> translations, but that is not a generic solution because I cannot
> >> guarantee a time gap between attempts greater than typical (yet alone
> >> worst case) keepalive intervals.
> >>
> >> The problem appears to be that once a translation is assigned, the ip
> >> nat source route statements are ignored. That is, the "ip nat source
> >> route" statements are only checked if there is not already a translation
> >> assigned to the address. As a result, the classic trick of assigning the
> >> NAT based on the outbound interface only works for the initial
> >> assignment and unless the translations are manually cleared, will not
> >> switch the NAT to match the remaining interface.
> >>
> >> Short of running a daemon on a local PC, is there any way to
> >> automatically force the NAT translations to be reassigned before they
> >> have timed out?


One thing that might do the trick (since you're already using SAA, ping
based routing) is to enable HSRP with interface tracking. On dual box
setups, the NAT table is supposed to be somewhat stateful.

I know there won't be another router to pick up the HSRP status, but
perhaps the act of 'failing' over will refresh the NAT tables?


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
Jon Lawrence
Guest
Posts: n/a
 
      07-23-2004
Vincent C Jones wrote:
> There are a wide range of solutions if I am willing to change
> the parameters. Buying a block of fixed IP addresses is one way to
> eliminate the need for a second NAT definition, as is adding a NAT
> firewall on one (or both) of the DSL lines. Another workaround is
> to add a monitoring box onto the local LAN to track the changes and
> clear the NAT translation table. A much cheaper work around is to
> forget Cisco and use a Symantec 200R, which does the job without
> any kludges or static IPs (but I don't want to start a round of
> "Here's what's wrong with the Nexland/Symantec boxen" flames,
> suffice it to say you get what you pay for).
>
> Meanwhile, the original question remains unanswered, which is
> "Can this common SOHO requirement be met with a single Cisco box?"
>
> Vincent C Jones
>
> In article <(E-Mail Removed) >,
> sriggs <(E-Mail Removed)> wrote:
>
>>Pay the extra money and get a small block of IP addresses from one of
>>the ISPs and NAT to that address
>>
>>(E-Mail Removed) (Vincent C Jones) wrote in message news:<cdlrkg$7vk$(E-Mail Removed)>...
>>
>>>Trying to set up a fully redundant ISP connection using low cost DSL. No
>>>problem detecting link down with SAA (ping based routing), but a real
>>>problem getting NAT to bahave.
>>>
>>>When the active link goes down, the default route switches
>>>automagically, but it is only useable for new connections until a "clear
>>>ip nat trans *" is executed. I know how to reduce the timeout on
>>>translations, but that is not a generic solution because I cannot
>>>guarantee a time gap between attempts greater than typical (yet alone
>>>worst case) keepalive intervals.
>>>
>>>The problem appears to be that once a translation is assigned, the ip
>>>nat source route statements are ignored. That is, the "ip nat source
>>>route" statements are only checked if there is not already a translation
>>>assigned to the address. As a result, the classic trick of assigning the
>>>NAT based on the outbound interface only works for the initial
>>>assignment and unless the translations are manually cleared, will not
>>>switch the NAT to match the remaining interface.
>>>
>>>Short of running a daemon on a local PC, is there any way to
>>>automatically force the NAT translations to be reassigned before they
>>>have timed out?

>
>
>

I have a very similar problem. The nat doesn't drop back to the
redundant connection (which is to a different ISP)
sriggs - how would a block of ip addresses solve anything. We're talking
about redundant connections to seperate ISPs, the block of IP's would
only be routable over one of the ISP's.

When I initially tested this in the lab (using a 1721 with 1enet & a
WIC-1T) everything worked perfectly - ie if the 1enet was the primary
connection, and that was diconnected then the nat correctly worked
across the wic-1t - with no problems.
Once I tried it in the field using a DSL connection (wic-1adsl) as the
primary and the 1enet as the backup, the nat wouldn't drop back to the
1enet if the dialer1 interface was down even though the routing did.

Is this something to do with the adsl ?

Surely, if a connection drops there must be a way of clearing the nat
tanslations.

TIA
Jon
--
remove goaway for email
 
Reply With Quote
 
Vincent C Jones
Guest
Posts: n/a
 
      07-24-2004
Jon Lawrence <(E-Mail Removed)> wrote:
>Vincent C Jones wrote:
>> There are a wide range of solutions if I am willing to change
>> the parameters. Buying a block of fixed IP addresses is one way to
>> eliminate the need for a second NAT definition, as is adding a NAT
>> firewall on one (or both) of the DSL lines. Another workaround is
>>

>I have a very similar problem. The nat doesn't drop back to the
>redundant connection (which is to a different ISP)
>sriggs - how would a block of ip addresses solve anything. We're talking
>about redundant connections to seperate ISPs, the block of IP's would
>only be routable over one of the ISP's.


If you have a block of IPs, you use those for the inside addresses
and you configure that ISP's interface as inside rather than of
outside, so there is no opportunity for NAT to get confused (except
for some older IOS releases which would NAT before checking if the
packet was being routed to an outside interface.)

>When I initially tested this in the lab (using a 1721 with 1enet & a
>WIC-1T) everything worked perfectly - ie if the 1enet was the primary
>connection, and that was diconnected then the nat correctly worked
>across the wic-1t - with no problems.


A good sign. It implies that the NAT is at least smart enough to cancel
NATs to an interface which is down (which, unfortunately, never happens
on an Ethernet link to DSL or Cable, and can't be depended on even with
a real DSL link).

>Once I tried it in the field using a DSL connection (wic-1adsl) as the
>primary and the 1enet as the backup, the nat wouldn't drop back to the
>1enet if the dialer1 interface was down even though the routing did.
>
>Is this something to do with the adsl ?
>
>Surely, if a connection drops there must be a way of clearing the nat
>tanslations.


This appears to be the case, the problem is that SAA only drops the
static route and the interface is still considered up. This is tricky,
because the interface needs to stay up so SAA can detect when it starts
working again. What is needed is for NAT to track SAA.

>TIA
>Jon


--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
Vincent C Jones
Guest
Posts: n/a
 
      07-24-2004
In article <(E-Mail Removed)>,
Hansang Bae <(E-Mail Removed)> wrote:
>> >(E-Mail Removed) (Vincent C Jones) wrote in message news:<cdlrkg$7vk$(E-Mail Removed)>...
>> >> Trying to set up a fully redundant ISP connection using low cost DSL. No
>> >> problem detecting link down with SAA (ping based routing), but a real
>> >> problem getting NAT to bahave.
>> >>
>> >> When the active link goes down, the default route switches
>> >> automagically, but it is only useable for new connections until a "clear
>> >> ip nat trans *" is executed. I know how to reduce the timeout on
>> >> translations, but that is not a generic solution because I cannot
>> >> guarantee a time gap between attempts greater than typical (yet alone
>> >> worst case) keepalive intervals.
>> >>
>> >> The problem appears to be that once a translation is assigned, the ip
>> >> nat source route statements are ignored. That is, the "ip nat source
>> >> route" statements are only checked if there is not already a translation
>> >> assigned to the address. As a result, the classic trick of assigning the
>> >> NAT based on the outbound interface only works for the initial
>> >> assignment and unless the translations are manually cleared, will not
>> >> switch the NAT to match the remaining interface.
>> >>
>> >> Short of running a daemon on a local PC, is there any way to
>> >> automatically force the NAT translations to be reassigned before they
>> >> have timed out?

>
>One thing that might do the trick (since you're already using SAA, ping
>based routing) is to enable HSRP with interface tracking. On dual box
>setups, the NAT table is supposed to be somewhat stateful.
>
>I know there won't be another router to pick up the HSRP status, but
>perhaps the act of 'failing' over will refresh the NAT tables?
>
>hsb


I got excited when I first read this, what a great idea. Then I
realized that it wasn't going to work because SAA does not take
down the interface, only the static route(s) using the interface,
so HSRP interface tracking would never see it.

Maybe in 12.4T Cisco will get it right...

--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      07-24-2004
On Wed, 21 Jul 2004 13:44:06 +0000, Vincent C Jones wrote:

> When the active link goes down, the default route switches automagically,
> but it is only useable for new connections until a "clear ip nat trans *"
> is executed. I know how to reduce the timeout on translations, but that is
> not a generic solution because I cannot guarantee a time gap between
> attempts greater than typical (yet alone worst case) keepalive intervals.
>
> The problem appears to be that once a translation is assigned, the ip nat
> source route statements are ignored. That is, the "ip nat source route"
> statements are only checked if there is not already a translation assigned
> to the address. As a result, the classic trick of assigning the NAT based
> on the outbound interface only works for the initial assignment and unless
> the translations are manually cleared, will not switch the NAT to match
> the remaining interface.


AIUI NAT will alway look in the translation table first and use a matching
translation if it finds it. Route maps and ACLS only get checked if there
is no existing translation and we are deciding whether and what sort to
create.

Are all your translations extended? If so, then the connections using
ISP1 i/f as the IG address will timeout, and the clients inside will
create new connections with different ephemeral ports and ISP2 i/f address as
the IG address. That's assuming we're talking about dynamic translations.

If we're talking static translations for servers, there does appear to
be a problem with the route maps for static translation feature in late
12.3 at least. It ignores the route map, and hosts that should use the
static translation end up using a dynamic pool instead. It's especially
noticeable with active mode ftp and the server on the inside. The ftp-data
connections end up coming from a different address than the one the client
originally connected to.

--
Rgds,
Martin
 
Reply With Quote
 
Jon Lawrence
Guest
Posts: n/a
 
      07-25-2004
Vincent C Jones wrote:
> Jon Lawrence <(E-Mail Removed)> wrote:
>>
>>Is this something to do with the adsl ?
>>
>>Surely, if a connection drops there must be a way of clearing the nat
>>tanslations.

>
>
> This appears to be the case, the problem is that SAA only drops the
> static route and the interface is still considered up. This is tricky,
> because the interface needs to stay up so SAA can detect when it starts
> working again. What is needed is for NAT to track SAA.
>
>

OK, I opened a ticket with the TAC and it seems that they've come through.
If you're using serial interfaces, then the nat will change correctly -
apparently with other interfaces (eg ethernet or dsl) it won't.
TAC advised I use something called 'PBR with tracking options' this is
only supported under 'T' train.
See
http://www.cisco.com/en/US/products/...0801d1e95.html
for more details.

Jon

--
remove goaway for email
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT issue with load balancing between two ISPs okrus Cisco 0 06-03-2008 02:33 PM
Load Sharing / Balancing two ISPs with NAT in C18XX nmilford Cisco 0 11-21-2007 02:58 AM
Connecting to two ISPs (Split configuration on one Router) chidi@rbow.net Cisco 2 10-13-2005 05:23 AM
Two ISPs & Route-map & NAT POOL & access-list & not working -HELP! Tarek Hamdy Cisco 12 10-07-2004 05:08 AM
Two ISPs, One 3640 Router, and PIX 515 with one outside interface TechGuy Cisco 2 08-03-2004 09:59 AM



Advertisments