1. Home
  2. Cisco Systems
  3. Dual WAN on a 2651, NAT inside, opening one port on the seconday WAN

Dual WAN on a 2651, NAT inside, opening one port on the seconday WAN

Note: all public IP addresses are fictitious.

The primary, default WAN uses 11.22.33.50. The secondary WAN uses

11.23.44.77. All traffic flows through the primary WAN EXCEPT for traffic going to 11.23.44.76 port 66.

On the surface it seems plausible that packets sent to port 66 of

11.23.44.77:66 actually reach 192.168.44.55:66. But reply packets out of 192.168.44.55 get routed through 11.22.33.49 (the default) instead of 11.23.44.76 (the secondary WAN where the TCP session was started.)

I seem to recall a "sticky route" parameter that instructs IOS to stick with the originating gateway for a given TCP session. Any help appreciated. TIA.

The pertinent parts of the config:

ip route 0.0.0.0 0.0.0.0 11.22.33.49 ip nat inside source list 101 interface FastEthernet0/1 overload ip nat inside source list 102 interface Ethernet1/0 overload

ip nat inside source static tcp 192.168.44.55 66 interface Ethernet1/0 2154 access-list 101 permit ip 192.168.44.0 0.0.0.255 any access-list 102 permit ip 192.168.44.0 0.0.0.255 any interface FastEthernet0/0 ip address 192.168.44.1 255.255.255.0 ip nat inside no shutdown hold-queue 32 in exit ! interface FastEthernet0/1 ip address 11.22.33.50 255.255.255.248 ip nat outside no shutdown duplex auto exit ! interface Ethernet1/0 ip address 11.23.44.76 255.255.255.248 ip nat outside no shutdown exit

-- Don Kuenz

Reply to
Don Kuenz
Loading thread data ...

Not only plausible, it's what will happen.

You are routing this traffic based on where it came from, 192.168.44.55:66, and not where it's going. For this you need Policy Routing.

Understanding Policy Routing ============================

formatting link

Since ACL 101 and 102 are identical 101 will always match and all your traffic will overload on F0/1 even if you do manage to send some of it via E1/0. So: ! ip nat inside source route-map F01 interface FastEthernet0/1 overload ip nat inside source route-map E10 interface Ethernet1/0 overload ! route-map E10 permit 10 match interface FastEthernet0/1 match ip access-list 101 ! route-map E10 permit 10 match interface Ethernet1/0 match ip access-list 102 !

Reply to
Martin Gallagher

formatting link
A great link, although its a bit over my head at present. It looks like Cisco included everything including the kitchen sink on purpose to cover all contigencies. Using extended ping for debugging also seems most promising.

Bless you for saving me all sorts of time by giving me an Xmas present!

You came up with a most elegant solution. Elegance is the signature of a master.

Your route-maps as originally posted contained a couple of typos. Here's the corrected route-maps for posterity:

! route-map F01 permit 10 match interface FastEthernet0/1 match ip address 101 ! route-map E10 permit 10 match interface Ethernet1/0 match ip address 102

Thanks again.

-- Don Kuenz

Reply to
Don Kuenz

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.