NAT issue with load balancing between two ISPs

Discussion in 'Cisco' started by okrus, Jun 3, 2008.

  1. okrus

    okrus

    Joined:
    Jun 3, 2008
    Messages:
    1
    Location:
    Munich
    Hello everybody!

    This is my first question, I am brand new in this so please excuse me if I do not write properly or straight to the point.

    I will try my best.

    These are the devices related to my question:
    - cisco2811 (completely access)
    - DSL modem
    - cisco2900 series

    I have access to all except cisco2900.

    I guess the configuration in cisco2950 is ok and so simple, no special routing or security task, just a point to connect with the provider and through internet (At the moment is working properly).

    DSL modem is pretty simple, just a connection straight to internet like a SOHO (small office home office), with no command line interface or similar.


    [outbound connection]
    Proventia firewall ethernet --------- cisco2811------------ethernet cisco2900 (ISP 1)
    [local network traffic] |____ethernet DSL modem (ISP 2)
    [outbound connection]


    I am trying to make a simple load balancing between two ISPs with NAT.

    I found three possible solutions (for sure exist more).

    The starting state is forwarding all the traffic through ISP1, and everything is ok.
    ip route 0.0.0.0 0.0.0.0 interfaz ISP1
    and basic nat translation
    ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32

    A. Use two static routes in cisco2811
    ip route 0.0.0.0 0.0.0.0 interfaz ISP1
    ip route 0.0.0.0 0.0.0.0 interfaz ISP2

    But not working as it supose to be.
    When I made a traceroute, the information shows that cisco2811 try to route twice between both ISPs and at the end some pages were not load in the browser.
    Maybe I have to add more commands to this solution, appart from the small part of nat inside for these interfaces.

    qosrouter#traceroute
    Protocol [ip]:
    Target IP address: 80.81.96.190
    Source address:
    Numeric display [n]:
    Timeout in seconds [3]:
    Probe count [3]:
    Minimum Time to Live [1]:
    Maximum Time to Live [30]:
    Port Number [33434]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Type escape sequence to abort.
    Tracing the route to 80.81.96.190

    1 *
    IP_ISP1 0 msec *
    2 194.25.5.110 124 msec * 116 msec
    3 *
    217.5.66.34 124 msec *
    4 217.5.66.46 128 msec * 128 msec
    5 *
    212.20.155.38 116 msec *
    6 130.117.0.210 128 msec * 124 msec
    7 *
    130.117.3.77 120 msec *
    8 130.117.1.114 128 msec * 132 msec
    9 *
    130.117.3.101 192 msec *
    10 130.117.0.213 144 msec *
    130.117.2.209 148 msec
    11 *
    130.117.2.133 172 msec *
    12 * * *
    13 *
    149.6.82.206 152 msec *
    14 213.172.34.122 156 msec *
    ...etc


    B. Use route-map to both ISPs
    But not working as it supose to be.
    Should I put default routes even with route-map next-hop ip defined?

    ip nat inside source route-map isp1 interface vlan 12 overload
    ip nat inside source route-map isp2 interface dialer 1 overload

    access-list 110 permit ip host IP_firewall_to_cisco2811 any
    access-list 120 permit ip host IP_firewall_to_cisco2811 any

    route-map isp1 permit 10
    match ip address 110
    set ip next-hop IP_ISP1

    route-map isp2 permit 10
    match ip address 120
    set ip next-hop IP_ISP2

    C. Use OER, whilst I have no simple solution with static routes I will wait till use this solution, in addition, I am not sure about compatibility between route-map configuration.

    Below this lines, you can see the configuration in cisco2811 which traffic can get access to internet through ISP1 only:

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    boot-start-marker
    boot system flash c2800nm-advipservicesk9-mz.124-13a.bin
    boot-end-marker
    !
    no aaa new-model
    no ip source-route
    !
    vpdn enable
    ip tcp synwait-time 10
    !
    !
    interface FastEthernet0/0
    description # traffic to ISP 2 DSL modem#
    no ip address
    duplex half
    speed 10
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface Dialer1
    description # dialer connection to fastethernet 0/0 #
    ip address negotiated
    ip mtu 1452
    encapsulation ppp
    ip nat outside
    no ip mroute-cache
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname usuario@domain_text
    ppp chap password 7 password_text
    ppp pap sent-username usuario@domain_text password 7 password_text
    !
    interface FastEthernet0/1
    description # firewall to cisco2811 traffic #
    bandwidth 100000
    ip address xx.yy.zz.169 255.255.255.248
    ip access-group 100 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1412
    duplex half
    speed 10
    no mop enabled
    !
    interface FastEthernet0/0/2
    description # swith port for ISP 1 cisco2900 #
    switchport access vlan 12
    !
    interface Vlan12
    description # traffic to ISP 1 cisco2900 #
    ip address xx.yy.zz.76 255.255.255.248
    ip access-group 101 in
    ip access-group 102 out
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1412
    fair-queue 64 16 256
    no mop enabled
    !
    ip route 0.0.0.0 0.0.0.0 ip_next_hop_ISP1
    !
    ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32
    !
    no cdp run
    dialer-list 1 protocol ip permit
    ip classless
    !


    When I try to apply the above commands, I lose communication with ISPs from web browser although traceroute still shows correct path and informations to achieve destination web sites.

    qosrouter#traceroute
    Protocol [ip]:
    Target IP address: 213.4.130.210
    Source address:
    Numeric display [n]:
    Timeout in seconds [3]:
    Probe count [3]:
    Minimum Time to Live [1]:
    Maximum Time to Live [30]:
    Port Number [33434]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Type escape sequence to abort.
    Tracing the route to 213.4.130.210

    1 ISP1 0 msec 0 msec 0 msec
    2 194.25.5.110 276 msec 272 msec 252 msec
    3 217.5.66.34 164 msec 224 msec 284 msec
    4 *
    62.154.16.161 128 msec 128 msec
    5 62.156.138.90 160 msec 240 msec 136 msec
    6 84.16.13.34 144 msec 144 msec 140 msec
    7 213.140.36.73 168 msec 240 msec 164 msec
    8 80.58.75.158 164 msec 164 msec 168 msec
    9 * * *
    10 etc...


    qosrouter#traceroute
    Protocol [ip]:
    Target IP address: 80.81.96.190
    Source address:
    Numeric display [n]:
    Timeout in seconds [3]:
    Probe count [3]:
    Minimum Time to Live [1]:
    Maximum Time to Live [30]:
    Port Number [33434]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Type escape sequence to abort.
    Tracing the route to 80.81.96.190

    1 ISP2 8 msec 40 msec 20 msec
    2 212.18.6.213 12 msec 8 msec 12 msec
    3 62.140.24.9 8 msec 8 msec 12 msec
    4 * * *
    5 4.68.118.80 12 msec
    4.68.118.16 16 msec
    4.68.118.144 16 msec
    6 62.67.33.242 16 msec 20 msec 16 msec
    7 212.23.42.173 [MPLS: Label 3083 Exp 0] 40 msec 44 msec 44 msec
    8 84.233.207.86 [MPLS: Label 616 Exp 0] 44 msec 40 msec 40 msec
    9 84.233.204.209 [MPLS: Label 969 Exp 0] 40 msec 44 msec 44 msec
    10 84.233.204.234 [MPLS: Label 258 Exp 0] 44 msec 40 msec 40 msec
    11 212.23.42.198 44 msec 44 msec 44 msec
    12 84.233.187.18 44 msec 44 msec 40 msec
    13 213.172.34.122 40 msec 44 msec 44 msec
    14 * * *
    15 etc...


    Why I can not surf internet using both ISPs at the same time load balancing traffic between both.

    Traceroute commands are ok.

    Thank all of you in advance

    kind regards
     
    okrus, Jun 3, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason
    Replies:
    2
    Views:
    2,485
    Jason
    Oct 22, 2004
  2. marek

    Load Balancing with two ISPs

    marek, Apr 22, 2005, in forum: Cisco
    Replies:
    7
    Views:
    1,043
    dt1649651@yahoo.com
    Apr 24, 2005
  3. davinderkumar@gmail.com

    Load Balancing between two DSL Modems

    davinderkumar@gmail.com, Feb 6, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    655
    Mitch
    Feb 7, 2006
  4. nmilford
    Replies:
    0
    Views:
    614
    nmilford
    Nov 21, 2007
  5. palas_123
    Replies:
    1
    Views:
    2,186
    donjohnston
    Dec 28, 2009
Loading...

Share This Page