Technology Used

• Cisco 1841 Integrated Services Router
• Cisco WIC-4ESW a 4-port 10/100BaseTx Ethernet switch interface card
• Cisco IOS 12.4 software

Network Diagram

Router Configuration

 
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1841
!
logging buffered 8192 debugging
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip domain name foo.com
!

!--- This is the connection to the Wireless ISP. We mark this interface as external
!--- so NAT will translate using our external NAT address space pool.

interface FastEthernet0/0
 description wireless-isp Wireless Interface
 ip address 172.16.0.194 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
!

!--- This is the connection to the T1 ISP. Once again we mark this interface as external.

interface FastEthernet0/1
 description att Communications Interface
 ip address 172.16.1.130 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed 100
 no cdp enable
 no mop enabled
!

!--- Since this router only has 2 native Ethernet ports, and we need more that that
!--- it was necessary to add this switch module.  In order to get the traffic into the
!--- switch, we need to configure a Vlan. (see below)  The default Vlan for all
!--- ports is Vlan 1.

interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!

!--- This is where we configure the Vlan.  For the purposes of this example
!--- we are going to treat the Vlan interface just like an Ethernet Interface.
!--- We give it an IP address and tell NAT that is an inside interface.  This means that traffic
!--- coming into this interface from an "outside" interface will need to be translated from
!--- public address space to private address space.

interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
!

!--- Since we have 2 active connections we need to have 2 default routes.  The wireless
!--- connection is much faster than the T1, so the wireless connection has a lower routing
!--- metric (0).  The lower the cost (metric) the higher the priority that route has when the
!--- router is making routing decisions.  In addition, if the 172.16.0.192 circuit should fail,
!--- the router will automatically take the 172.16.1.129 route because the other route
!--- would be deleted from the routing table until the circuit came back up.

ip route 0.0.0.0 0.0.0.0 172.16.0.193
ip route 0.0.0.0 0.0.0.0 172.16.1.129 10
!
!

!--- These are some NAT timings.  Since we don't have much address space here, we need to
!--- keep the table small and the timings short.  This client has about 45 employees and since
!--- we only have 8 addresses for each network, we need to be mindful of NAT table size and
!--- IP addresses.

ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation dns-timeout 300

ip nat pool wireless-isp-pool 172.16.0.199 172.16.0.206 prefix-length 28
ip nat pool att-pool 172.16.1.136 172.16.1.142 prefix-length 28

!--- The NAT pool we use for public/private address space mapping is determined
!---by which network the traffic is going to take.

ip nat inside source route-map wireless-isp-nap-map pool wireless-isp-pool overload
ip nat inside source route-map att-nap-map pool att-pool overload

!--- This is where the fun begins and this section of the configuration is where everything
!--- comes together.  Normally there would be no need for the route-map here.  But because
!--- we have a requirement to run in active-active with the two ISPs we need to use route-maps
!--- to control the NAT process.  These route-maps look to see which interface the traffic is
!--- entering the router from, then they look to see which host the traffic is destined for.  If the
!--- incoming traffic is destined for one of our servers, then we need to force a NAT translation
!--- such that when the traffic needs to leave the router it will take the proper route.

ip nat inside source static 10.10.10.21 172.16.1.131 route-map exchange-att extendable
ip nat inside source static 10.10.10.22 172.16.1.132 route-map webserver-att extendable
ip nat inside source static 10.10.10.23 172.16.1.134 route-map commserver-att extendable
ip nat inside source static 10.10.10.21 172.16.0.195 route-map exchange-wireless-isp extendable
ip nat inside source static 10.10.10.22 172.16.0.196 route-map webserver-wireless-isp extendable
ip nat inside source static 10.10.10.23 172.16.0.197 route-map commserver-wireless-isp extendable
!
ip access-list extended nat-list
 permit ip 10.10.10.0 0.0.0.255 any

!--- The next three ACLs are for the route-maps.  They define what interesting traffic is.
!--- Here are the inside addresses of our servers: Exchange, Web and Communications.

ip access-list extended exchange-acl
 permit ip host 10.10.10.21 any
!
ip access-list extended commserver-acl
 permit ip host 10.10.10.23 any
!
ip access-list extended webserver-acl
 permit ip host 10.10.10.22 any
!

!--- The next six route maps determine the server-to-network matching for NAT addresses.

route-map webserver-wireless-isp permit 10
 match ip address webserver-acl
 match interface FastEthernet0/0
!
route-map commserver-att permit 10
 match ip address commserver-acl
 match interface FastEthernet0/1
!
route-map commserver-wireless-isp permit 10
 match ip address commserver-acl
 match interface FastEthernet0/0
!
route-map webserver-att permit 10
 match ip address webserver-acl
 match interface FastEthernet0/1
!
route-map exchange-wireless-isp permit 10
 match ip address exchange-acl
 match interface FastEthernet0/0
!
route-map exchange-att permit 10
 match ip address exchange-acl
 match interface FastEthernet0/1
!

!--- These are the default NAT route-maps.  These are used for all traffic that is not covered
!--- by the above server route-maps.

route-map att-nap-map permit 10
 match ip address nat-list
 match interface FastEthernet0/1
!
route-map wireless-isp-nap-map permit 10
 match ip address nat-list
 match interface FastEthernet0/0
!
!
line con 0
line aux 0
line vty 0 4
!
end

Troubleshooting

It is possible to verify that everything is working correctly by looking at the NAT translation table.  Use the following commands:

 
show ip interfaces brief
show ip nat translation
show ip nat statistics
debug ip nat [list] [detailed]

 TrackBack URI for this entry

Comments (0)

Name

Email

Website

Title

Comment

smaller | bigger

Subscribe via email (registered users only)

I have read and agree to the Terms of Usage.

Write the displayed characters

Add Comment