Search This Blog

Sunday, March 23, 2014

Cisco PBR with multiple NAT



In the following lab I will demonstrate how to use PBR (Policy-Based Route) along with 3 different exit points (next-hop) and NAT the source IP accordingly.

Here is the network topology:

 
R5 is a host on our LAN (network 192.168.0.0/24) while R1 is the gateway for this network.

When R5 tries to reach R7 (192.168.71.1) using ICMP he will exit through R2, when trying to reach R7 on port 80 he will exit through R3 and when using telnet through R4. The NAT will occur according to the exit point – hence when going through R2 he will have 10.1.12.1, through R3 he will have 10.1.13.1 and through R4 – 10.1.14.1.

Using this scenario we can load-balance certain traffic type through different upstream providers according to our demands (a next-hop verification and redundancy can be added but I skipped this issues on this post).

R5 (relevant) configuration:

interface FastEthernet0/0
 ip address 192.168.0.5 255.255.255.0
 speed 100
 full-duplex
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1

Note that R2, R3, R4 and R7 are running OSPF between them.

R2 (relevant) configuration:

interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 172.16.0.2 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R3 (relevant) configuration:

interface FastEthernet0/0
 ip address 10.1.13.3 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 172.16.0.3 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R4 (relevant) configuration:

interface FastEthernet0/0
 ip address 10.1.14.4 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 172.16.0.4 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R7 (relevant) configuration:

interface Loopback1
 ip address 192.168.71.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback2
 ip address 192.168.72.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback3
 ip address 192.168.73.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.0.7 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
ip http server

And R1 basic configuration:

interface FastEthernet1/0
 ip address 192.168.0.1 255.255.255.0
 duplex full
 speed 100
!
interface FastEthernet1/1
 ip address 10.1.12.1 255.255.255.0
 duplex full
 speed 100
!        
interface FastEthernet2/0
 ip address 10.1.13.1 255.255.255.0
 duplex full
 speed 100
!
interface FastEthernet2/1
 ip address 10.1.14.1 255.255.255.0
 duplex full
 speed 100
!
ip route 0.0.0.0 0.0.0.0 10.1.12.2

Now let’s start configure R1, first create access-lists which will match the desired traffic for the PBR, here in my example I want to match HTTP and telnet traffic:

ip access-list extended ACL_PBR_HTTP
 permit tcp 192.168.0.0 0.0.0.255 any eq www
 deny   ip any any
!
ip access-list extended ACL_PBR_TELNET
 permit tcp 192.168.0.0 0.0.0.255 any eq telnet
 deny   ip any any
!

Then configure the PBR route-map:

route-map RM_PBR permit 10
 match ip address ACL_PBR_HTTP
 set ip next-hop 10.1.13.3
!
route-map RM_PBR permit 20
 match ip address ACL_PBR_TELNET
 set ip next-hop 10.1.14.4
!
route-map RM_PBR deny 999
!

In the following PBR I configure that all HTTP traffic will go to next-hop 10.1.13.3 and all telnet traffic will go to next-hop 10.1.14.4, all other traffic that the route-map didn’t catch will go through the normal routing table, in this case to 10.1.12.2 (default route).

Configure the PBR under the LAN interface:

interface FastEthernet1/0
 ip address 192.168.0.1 255.255.255.0
 ip virtual-reassembly in
 ip policy route-map RM_PBR
 duplex full
 speed 100
!

Now configure NAT inside on Fa1/0 (LAN interface) and NAT outside on Fa1/1, Fa2/0 and Fa2/1 (WAN interfaces):

interface FastEthernet1/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map RM_PBR
 duplex full
 speed 100
!
interface FastEthernet1/1
 ip address 10.1.12.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
!        
interface FastEthernet2/0
 ip address 10.1.13.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
!
interface FastEthernet2/1
 ip address 10.1.14.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
!

Now configure 3 route-maps for NAT distinguish for each WAN interface:

route-map RM_NAT_R4 permit 10
 match interface FastEthernet2/1
!
route-map RM_NAT_R2 permit 10
 match interface FastEthernet1/1
!
route-map RM_NAT_R3 permit 10
 match interface FastEthernet2/0
!

These route-maps will ensure that every packet that goes out on a specific interface will get the correct outside NAT IP address.

And last configure the NAT statements:

ip nat inside source route-map RM_NAT_R2 interface FastEthernet1/1 overload
ip nat inside source route-map RM_NAT_R3 interface FastEthernet2/0 overload
ip nat inside source route-map RM_NAT_R4 interface FastEthernet2/1 overload
!

Now let’s check:

R5#ping 192.168.71.1

Result:


R5#telnet 192.168.71.1

Result:



R5#telnet 192.168.71.1 80

Result:



When R5 ping 192.168.71.1 he made it using source IP 10.1.12.1, when using HTTP he made it using 10.1.13.1 and when telnet he used 10.1.14.1.