NAT and<Loadsharing help !

[vince62s]

Here ismy config:

1 Cisco 2621
Two ISPs : ISP1 and ISP 2
I have a public Range with ISP1
I want load balancing with ISP2
BUT I need to be reached on my public range (LAN Servers) through ISP1 at least.

Building configuration...

Current configuration:
!
version 12.0
service nagle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
clock timezone France 1
clock summer-time France recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
ip cef
no ip finger
ip tcp path-mtu-discovery
no ip domain-lookup
ip domain-name XXX
ip name-server XXX
!
isdn voice-call-failure 0
!
!
controller E1 1/0
framing NO-CRC4
channel-group 0 timeslots 1-31
!
!
interface Loopback0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/0
description LAN
ip address publicadd1 255.255.255.224
no ip redirects
ip directed-broadcast
ip accounting output-packets
ip nat inside
ip load-sharing per-packet
full-duplex
random-detect
standby priority 90 preempt
!
interface Ethernet0/1
description ISP2
ip address staticIP2 255.255.255.0
ip directed-broadcast
ip accounting output-packets
ip nat outside
full-duplex
!
interface Serial1/0:0
description ISP1
ip address staticIP1 255.255.255.252
no ip directed-broadcast
random-detect
!
ip nat inside source list 1 interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 staticIP1GW
no ip http server
!
access-list 1 permit publicaddrange 0.0.0.255
!
end




QUESTION:
if I add
ip route 0.0.0.0 0.0.0.0 staticIP2GW

to have load sharing everything is messed up.
I lose some outgoing traffic
People from outside cant acccess my servers on publicrange.


ideas ???

 

[lambent]

Just want to clarify something:

1) For traffic passing via ISP1, do you need to use NAT?
2) Did you receive the "publicrange" IP from ISP1?
3) How many public IP addresses did the ISP2 provide to you?
4) Is it possible to manually load-balance the traffic such that server traffic will use ISP1 and user traffic will use ISP2?

It's very likely that you'll need policy-based routing in your case.

 

[vince62s]

1) no I do not use NAT with ISP1
2) Yes I received publicrange from ISP1
3) only one used on the the router, that's why I intended to do dummy natting between that IP and publicrange
4) I guess so through policy-based

it's driving me nut.

 

[lambent]

I copied this from my previous post:

!
route-map DSL permit 10
match ip address 101
set ip next-hop a.b.c.d
route-map DSL permit 20
match ip address 102
set ip next-hop e.f.g.h
!
interface FastEthernet0/1
ip policy route-map DSL
!
ip access-list standard 101
permit host 192.168.1.100
permit host 192.168.1.101
permit host 192.168.1.102
!
ip access-list standard 102
permit host 192.168.1.200
permit host 192.168.1.201
permit host 192.168.1.202
!

In this case for all traffic from the source IP addresses 192.168.1.100-102, it will use the next-hop a.b.c.d. And for source 192.168.1.200-202, it will use e.f.g.h.

And in your case, you may need modify your ACL for NAT so that only those who use ISP2 will be NATed. Say for example those hosts in the above ACL 102 will use ISP2, then your NAT statement will become:

ip nat inside source list 102 interface Ethernet0/1 overload

Hope this helps.

 

[vince62s]

I am trying to do it step by step.

I removed all NAT entries so far.

Can you confirm that I need two routes 0.0.0.0 0.0.0.0

plus what if I want real loadbalancing for outgoing traffic.

let's say internal users browse the internet through 192.168.1.200

can I put 192.168.1.200 in both ACL 101 and 102 ?

thanks

 

[vince62s]

still need help !!!!!

here is what I tried

ip subnet-zero
no ip source-route
ip cef
no ip finger
ip tcp path-mtu-discovery
no ip domain-lookup
isdn voice-call-failure 0
!
!
controller E1 1/0
framing NO-CRC4
channel-group 0 timeslots 1-31
!
!
interface Loopback0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/0
description LAN
ip address publicadd1 255.255.255.224
no ip redirects
ip directed-broadcast
ip accounting output-packets
ip route-cache policy
ip policy route-map VINCENT
full-duplex
random-detect
standby priority 90 preempt
!
interface Ethernet0/1
description ISP2
ip address staticIP2 255.255.255.0
ip directed-broadcast
ip accounting output-packets
full-duplex
!
interface Serial1/0:0
description ISP1
ip address staticIP1 255.255.255.252
no ip directed-broadcast
random-detect
!
ip classless
ip route 0.0.0.0 0.0.0.0 staticIP1GW
ip route 0.0.0.0 0.0.0.0 staticIP2GW
no ip http server
!
access-list 101 permit ip any any
access-list 102 permit ip host publicadd2 any
route-map VINCENT permit 10
match ip address 101
set ip next-hop staticIP1
!
route-map VINCENT permit 20
match ip address 102
set ip next-hop staticIP2


in this order everything goes through staticIP1 and thus ISP1
If I invert permit 10 and permit 20, it does not work for publicadd2

from outside, if I ping publicadd2, as it has been given by ISP1, packets flow through ISP1 and staticIP1 to reach publicadd2 but going out I guess it tries to go through staticIP2 but does not get back to the outside source.

How do I fix that ?

thanks

 

[lambent]

You need NAT for traffic passing through ISP2. You missed the NAT statement.

Also you don't need to have 2 default routes as your route maps already do all the things unless you have the 3rd default route.

!
int e0/0
ip nat inside
!
int e0/1
ip nat outside
!
ip nat inside source list 102 interface Ethernet0/1 overload
!

Btw what do you mean by "real loadbalancing"?

 

[lambent]

access-list 101 permit ip any any
access-list 102 permit ip host publicadd2 any
route-map VINCENT permit 10
match ip address 101
set ip next-hop staticIP1
!
route-map VINCENT permit 20
match ip address 102
set ip next-hop staticIP2

This is not working...since everything will be using "permit 10". Route-maps are processed from top to bottom. So under this example, if there's a matching in "permit 10", then staticIP1 will be set as the next hop. If there's no match, then it will go to "permit 20" and see if there's any match. If match then staticIP2 will be set as the next hop, if not, to my understanding, since there's no "permit 30" so the packet will be discarded. If there's a "permit 30" with no match and no set statement, then the packet will be processed using the routing table.

Btw I saw that you have HSRP commands in your LAN interface. So you got 2 routers, right?

 

[vince62s]

GREAT !
the NAT statement fixed it.

now, I have one publicipaddX of publicrange routed to ISP2 through the proper route-map.

however this sepcific publicipaddX is not seen from outside since the public range is only advertised through ISP1.

no way to fix it without BGP ? (not even with a precedence statement?)

thanks for your help

NB: yes I used to have two routers with HSRP but not anymore. I removed the lines.

 

[lambent]

that publicipaddX was translated to the staticIP2 in the NAT statement so it'll just appear as staticIP2 from the Internet.

And you're right only ISP1 will advertise those public ip addresses, while ISP2 will only advertise staticIP2. You may need to discuss this route advertisement issue with both ISPs and see if they can fulfill your requirements.

 

[vince62s]

Last question on loadbalancing:

Outgoing traffic through publicaddX of public range is routed to ISP2 thanks to the route-map which capture these packets.

BUT route-map #2 is "any any" , I did it this on purpose in case if routemap1 is overloaded then traffic would fall under routemap2.

I dont know if this clear and if this is really what would happen.

Thanks.

 

[lambent]

Within the same route-map (that is route-map VINCENT in your case), if the first criterion is fulfilled, it won't go further down to 2nd and 3rd criteria.

And what exactly do you mean by route-map being overloaded?