Answer the question
In order to leave comments, you need to log in
G
G
gustaf2015-11-29 20:25:25
gustaf, 2015-11-29 20:25:25
Cisco router: how does NAT change when using IP SLA?
I can not figure it out, if you can, tell me please.
There is such a configuration:
Two external interfaces to two different providers
interface GigabitEthernet0/0
description MAIN_ISP
ip address 10.10.10.54 255.255.255.240 secondary
ip address 10.10.10.51 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed autointerface GigabitEthernet0/1
description BACKUP_ISP
ip address 20.20.20.198 255.255.255.240 secondary
ip address 40.40.40.82 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed autoone internal interface to the internal network.
interface GigabitEthernet0/2
description link_between_2911_and_ASA
ip address 192.168.255.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip policy route-map Load-Balance
duplex auto
speed autoTwo NAT entries
ip nat inside source static 192.168.6.54 10.10.10.54 route-map static-nat-isp-main
ip nat inside source static 192.168.6.54 20.20.20.198 route-map static-nat-isp-backupPBR
route-map static-nat-isp-backup permit 10
match interface GigabitEthernet0/1
route-map static-nat-isp-main permit 10
match interface GigabitEthernet0/0routes
ip route 0.0.0.0 0.0.0.0 10.10.10.49 5 track 1
ip route 0.0.0.0 0.0.0.0 40.40.40.81 10 track 2
ip route 192.168.6.0 255.255.255.0 192.168.255.2channel availability monitoring
ip sla 1
icmp-echo 10.10.10.49 source-interface GigabitEthernet0/0
threshold 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 40.40.40.81 source-interface GigabitEthernet0/1
threshold 1000
frequency 5
ip sla schedule 2 life forever start-time now
track 1 ip sla 1 reachability
delay down 5 up 5
!
track 2 ip sla 2 reachability
delay down 5 up 5When both providers are available, machine address 192.168.6.54 is translated to the Internet at 10.10.10.54
When the main_isp provider is not available, machine address 192.168.6.54 is translated to the Internet at 20.20.20.198
Question.
I can't figure out which rule is used for translation in the first case, and which one in the second case.
When the first provider ceases to be available, the default gateway changes from 10.10.10.49 to 40.40.40.81 - this is understandable.
Where and when does NAT change?
3 answer(s)
@gustaf
The choice of the first or second route affects the choice of the outgoing interface for sending the packet out (different next-hops are available through different interfaces).
This, in turn, affects the choice of NAT rule. One route-map works for one interface (route-map static-nat-isp-main - Gi0/0), the other - for another (backup - Gi0/1).
Do you need additional info?
@pezzak
Also, if the main gateway is unavailable, the established tcp sessions will hang, because 192.168.6.54 will be broadcast according to the built nata table. In this case, you need to clear the table via EEM:
@gustaf
then when two gateways are available, the address will be 20.20.20.198, and when the first gateway is not available, then the machine does not have access to the Internet at all.
Special thanks for clearing the table!
A
Alexander, 2015-12-03 @gustaf
Numbers 5 and 10 for routes are called Administrative Distance, a more or less adequate Russian counterpart - "the degree of trust in the source of routing information."
ip route 0.0.0.0 0.0.0.0 10.10.10.49 5 track 1
ip route 0.0.0.0 0.0.0.0 40.40.40.81 10 track 2The choice of the first or second route affects the choice of the outgoing interface for sending the packet out (different next-hops are available through different interfaces).
This, in turn, affects the choice of NAT rule. One route-map works for one interface (route-map static-nat-isp-main - Gi0/0), the other - for another (backup - Gi0/1).
Do you need additional info?
P
pezzak, 2015-12-01 @pezzak
In the first case, when both gateways are available, the router sends packets to the world that came from the host 192.168.6.54 with the Inside Global address 10.10.10.54, in the second case, Inside Global 20.20.20.198, i.e. depending on the routing table (more precisely, the FIB table), you have it enabled for both addresses:
ip nat inside source static 192.168.6.54 10.10.10.54 route-map static-nat-isp-main
ip nat inside source static 192.168.6.54 20.20.20.198 route-map static-nat-isp-backupAlso, if the main gateway is unavailable, the established tcp sessions will hang, because 192.168.6.54 will be broadcast according to the built nata table. In this case, you need to clear the table via EEM:
event manager applet ISP_1_UP
event track 1 state up
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 003 syslog msg "ISP 1 is UP"
event manager applet ISP_1_DOWN
event track 1 state down
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 003 syslog msg "ISP 1 is DOWN"G
gustaf, 2015-12-01 @gustaf
Thanks for the answer!
I understand one hundred NAT is enabled for both addresses.
The question is why when two or two gateways are available, then 10.10.10.54, and when the first gateway is not available, then - 20.20.20.198.
Where is the rule or where is the priority?
If I swap entries like this:
ip nat inside source static 192.168.6.54 10.10.10.54 route-map static-nat-isp-backup
ip nat inside source static 192.168.6.54 20.20.20.198 route-map static-nat-isp-mainthen when two gateways are available, the address will be 20.20.20.198, and when the first gateway is not available, then the machine does not have access to the Internet at all.
Special thanks for clearing the table!
Similar questions
A
S
Sergey Prokhorov2019-06-19 08:08:28
Why did the trunk stop working after changing cisco to dlink?
4Reply
H
HunterXXI2017-01-26 12:53:39
Cisco. port security. Is there a mode when ports are not blocked?
0Reply
D
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question