Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple NAT outside interfaces

Status
Not open for further replies.

LingaringBell

IS-IT--Management
Mar 13, 2009
30
US
I have a branch office that has a basic consumer aDSL line from Verizon. The modem that Verizon provides (other than just being cheap and useless), will only do NAT for devices on the same subnet as it. To fix this, I had a spare 1811 in the office and I just plugged the modem into one of the WAN ports on it and let the 1811 do NAT. The other day they call me and say that they have gotten a second DSL line because they want some more bandwidth. The modem that came with this line has the same problem as the first of course, but I didn't think this would be a problem because the 1811 has two WAN ports. However, I'm not sure how to do NAT on both ports (or even if you can). My config is very simple:

interface FastEthernet0
description DSL_1
ip address x.x.x.x
ip access-group 107 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto

ip nat inside source list 7 interface FastEthernet0 overload

access-list 7 permit 192.168.0.0 0.0.255.255


So now I want to do NAT on Fastethernet1 as well. This seems like something that should be easy, but I haven't been able to figure it out. Any help is appreciated. Thanks.
-Bell
 
Your default route would also need to be modified if you plan on round-robin routing out...

interface loopback0
ip address 1.1.1.1 255.255.255.255
ip address secondary 2.2.2.2 255.255.255.255
ip nat outside
!
interface FastEthernet0
description DSL_1
ip address unnumbered loopback0
ip access-group 107 in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
!
interface FastEthernet1
description DSL_2
ip address unnumbered loopback0
ip access-group 107 in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
ip nat inside source list 7 interface loopback0 overload

Try that. I have not labbed it yet, but I will try tomorrow. Just a thought...might work.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
burt, haha, don't worry, I remembered the default route change.

Isn't your solution essentially the same as just plugging FastEthernet0 and both modems into a layer 1 switch? Though I don't know how the nat will work with an interface with two IP address. Will the nat just round robin between them?


kensy, I had been considering what you suggest, and the IPs don't even have to be sequential. Since the two modems only have a problem doing nat for devices on a different subnet, I could just have the 1811 nat to a private IP that is on the same subnet as the modems. Maybe something like:

interface FastEthernet0
description DSL_1
ip address 10.10.10.2 255.255.255.0
ip access-group 107 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
!
interface FastEthernet1
description DSL_2
ip address 10.10.10.3 255.255.255.0
ip access-group 107 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto

ip nat pool ovrld 10.10.10.4 10.10.10.5 prefix-length 24
ip nat inside source list 7 pool ovrld overload

access-list 7 permit 192.168.0.0 0.0.255.255


Do you guys think that would work?
 
One thing I'd like to point out---any one user is only going to get the bandwidth of one link or another. Are the two lines of the same bandwidth?

"Isn't your solution essentially the same as just plugging FastEthernet0 and both modems into a layer 1 switch?"

You mean layer 2 switch, or a hub? How do you think that it is the same as plugging modem 1 and 2, as well as fa0, but not fa1? What would fa1 be connected to? Plus, communication between everything would not happen unless everything was in the same subnet. If both ISP IP addresses were in the same subnet, this would be a no-brainer...

My example allows comms to occur between everything. Two separate NATs have to occur for one node in the LAN to get out---they can't have the same translation...you'd have to clear xlates. Would NAT round-robin? Not sure...I almost have it labbed up, and can finish tomorrow morning. I will try

ip route 0.0.0.0 0.0.0.0 lo0

But I am interested in seeing what your default route looks like...can you post a complete config?

Also, what would be the purpose of double-natting like your example? In your scenario, something has to translate the privates to a public ip...if you are suggesting putting the private ip addresses on your WAN ports, then the modems would have to NAT.

One more important question---how many internal networks do you have? Since your Verizon modem only nats to one subnet, I was assuming that you have multiple LAN subnets. This makes all the difference in the world.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Yes, the two links have the same bandwidth, and I have 5 private subnets. First, I found a flaw in my pool idea above because you can't give two wan interfaces IP addresses that are on the same subnet.

How I'm making both lines work currently is by having the modems do NAT and connecting FastEthernet0 and the modems to a hub, then having a round robin gateway like this:

interface FastEthernet0
description Verizon_DSL
ip dhcp client update dns
ip address 10.250.13.3 255.255.255.0
ip access-group 107 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto

ip nat inside source list 7 interface FastEthernet0 overload

ip route 0.0.0.0 0.0.0.0 10.250.13.1
ip route 0.0.0.0 0.0.0.0 10.250.13.2

The 1811 nats all of the private subnets to a single private subnet. Then the modems nat them to a public IP fine.

While this method works, I would prefer to not use it for a couple of reasons. First, it is basically impossible to graph utilization for each individual line, or to send more load to one line than the other.

Second, I'm not sure if I can set up failover using this method. Is there a way to tell the Cisco to stop sending traffic out a gateway if that gateway goes down without using something like OER?


I'm sorry but you will have to explain to me how your idea for using a loopback interface works because I'm a little confused. By doing:

ip nat inside source list 7 interface loopback0 overload

aren't you changing the private IPs to another set of private IPs exactly like I'm doing now? Maybe I'm just lost. Thanks for all your help!
 
Second, I'm not sure if I can set up failover using this method. Is there a way to tell the Cisco to stop sending traffic out a gateway if that gateway goes down without using something like OER?"

Yes---floating static routes...this would make your world much easier, but it would not load balance---it's either-or...

ip route 0.0.0.0 0.0.0.0 10.250.13.1
ip route 0.0.0.0 0.0.0.0 10.250.13.2 50

add a higher metric to the less-preferred (backup) link.

"I'm sorry but you will have to explain to me how your idea for using a loopback interface works because I'm a little confused. By doing:

ip nat inside source list 7 interface loopback0 overload

aren't you changing the private IPs to another set of private IPs exactly like I'm doing now? Maybe I'm just lost."

No---the loopback addresses (primary and secondary) are those of the ISP's---I should have mentioned that. The fastethernet interfaces, the physical interfaces themselves, get their ip addresses by using ip-unnumbered config (the addresses of the loopback interface).

Again, will lab hopefully today, with debugs and everything.

Are you deciding between load balancing and redundancy?

Both can actually be accomplished (not to contradict myself, but what I really meant is that 1, you can only either load balance traffic or bond links, but not both, and 2, in your situation, you cannot load balance AND have redundant links), but it involves more equipment---HSRP w/load balancing, VRRP, GLBP are the three ways to accomplish this. But that sounds like it's beyond the scope (WAY beyond) of your dilemma and solution.

But it is important at this point to decide between load balancing and redundancy. Remember, you cannot bond these unless

A.They are from the same provider
B.Both links are in the same subnet
C.Both links at the provider site are in the same router/gateway device

If all three conditions exist, then you're golden! You MLPPP the links and NAT to the multilink interface---BAM!

Now to the lab in a bit...

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Ah, the loopback makes more sense now. When using the "ip-unumbered" config, how do you make sure that FastEthernet0 gets the IP address associated with the modem it is connected to and vice-versa?

I am going to have to go for load balancing over redundancy, since the line was purchased to increase available bandwidth. If I am letting the modems do NAT, can't I MLPPP the links without needing the provider to have both lines connected to the same router? Since it is a regular consumer Verizon DSL, I doubt they will want to do things like tell me about how it is set up at the provider site. I have never done anything with HSRP, VRRP, or GLBP, but after reading about them all briefly now, I think I would need more cisco routers to accomplish them correct?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top