Port forwarding multi-homed router 2

[justin12345]

Hello,

I have a 2811 with 3 DSL lines used for load balancing traffic. I'm using route-maps to overload NAT the internal traffic and just have static routes set to my ISP's gateway.

All that is working fine, expect I can't find a way to port forward from the outside. I have a single server in the LAN side (192.168.1.245) that I want to get inbound port 80 traffic from one or all of the WAN interfaces. If I use:

ip nat inside source static tcp 192.168.1.245 80 63.224.1.2 80

(where 63.224.1.2 is the IP of one of the DSL dialers)

it will work if it is the only connected route. As soon as the other 2 DSL lines are up, the port forwarding won't work anymore.

I'm guessing I need some sort of route-map command, but I don't know what it is.

Thanks!

 

[Minue]

Hello
Can you please post a conf.
Regards

 

[justin12345]

Thanks Minue.

Here's the relevant parts of the config with the IP's changed:

interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!

interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname user0
ppp chap password 0 password0
ppp pap sent-username user0 password 0 password0
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication pap chap callin
ppp chap hostname user1
ppp chap password 0 password1
ppp pap sent-username user1 password 0 password1
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 4
dialer-group 4
ppp authentication pap chap callin
ppp chap hostname user2
ppp chap password 0 password2
ppp pap sent-username user2 password 0 password2

ip local policy route-map backondialer1
ip classless
ip route 0.0.0.0 0.0.0.0 207.225.84.223
ip route 0.0.0.0 0.0.0.0 207.225.84.220
ip route 0.0.0.0 0.0.0.0 207.225.84.226
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.1.245 9996
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map NATdailer0 interface Dialer0 overload
ip nat inside source route-map NATdailer1 interface Dialer1 overload
ip nat inside source route-map NATdailer2 interface Dialer2 overload
ip nat inside source static tcp 192.168.1.245 80 63.224.1.2 80 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 170 permit tcp host 63.224.2.1 any
access-list 171 permit tcp host 63.230.2.1 any
access-list 172 permit tcp host 65.102.2.1 any

route-map backondialer1 permit 10
match ip address 170
set ip next-hop 207.225.84.220
!
route-map backondialer0 permit 10
match ip address 171
set ip next-hop 207.225.84.226
!
route-map backondialer2 permit 10
match ip address 172
set ip next-hop 207.225.84.223
!
route-map NATdailer0 permit 10
match ip address 1
match interface Dialer0
!
route-map NATdailer1 permit 10
match ip address 1
match interface Dialer1
!
route-map NATdailer2 permit 10
match ip address 1
match interface Dialer2

 

[Minue]

Hello
Is the public ip address use for static natting is part of a pool of addresses or is it the ip on one of a WAN interface.I would try using the "ip nat inside source static tcp 192.168.1.245 80 dialer0 80".To make it the interface.Also try putting the same statement for a 3 interface.If this doesn't work we must find a way to send the traffic back out on the interface it came in on.
Regards

 

[justin12345]

Hello,

Yes, 63.224.1.2 is the IP address of Dialer1. I tried as you suggested and changed it to:

ip nat inside source static tcp 192.168.1.245 80 interface Dialer1 80

The "extendable" option isn't available if I use the "interface" command instead of the IP address. Also, I can only have one of these statements at a time.

I suspect, as you said, that the traffic is not going out on the correct interface. I think we need a route-map to do this.

Do you know how?

Thanks again!

 

[Minue]

Hello
This is going to be tricky!I will try to think of something.In the mean time try putting some weights on the 2 other static routes to see if the problem is really the load balancing.
Regards

 

[justin12345]

I set a static route to my IP here at home to use Dialer1:

ip route 24.X.X.X 255.255.255.255 Dialer1

and I was able to get to the server that way. So I think this confirms that it's a load-balancing problem, right?

I thought that maybe I needed a route-map to set a static route for the webserver (192.168.1.245) so I tried:

access-list 160 permit ip host 192.168.1.245 any

route-map webserver permit 10
match ip address 160
set ip next-hop 207.225.84.220

But that didn't work.

Any ideas?

 

[brianinms]

Did you apply the route-map to an interface?

 

[justin12345]

No...none of my route-maps are on an interface.

What would that look like? How do I do it?

Thanks!

 

[brianinms]

int fa0/0
ip policy route-map webserver

 

[justin12345]

Awesome, that seems to have done it!

Thank you both for your help.

 

[unclerico]

Don't forget to give brian and minue stars for helping you solve your problem.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

So your only goal with this solution is to load-balance traffic and tie that web server to only one of the three interfaces?? Are you concerned about a link failure??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Minue]

Hello
Can you please post the updated working conf,so as to help other.
Regards

 

[justin12345]

Hi unclerico,

Well, the webserver is really just used for some traffic reporting. If the one link went down it wouldn't be that big of a deal as I could just change the config as needed.

However, I am interested in the "proper" or best way of doing so that I could access it from any of the 3 DSL lines.

Do you know how to do that?

I'll post the config once it's all sorted out.

Thanks!