I am struggling to configure some Cisco routers with NAT out of multiple outside interfaces. The interfaces are considered as alternatives: use the first one that works.
Question: what's the configuration for "NAT with the outside interface that you're routing out of" ?
The equipment is a WAN of telemetry networks, each consisting of a Cisco 867VAE with a number of telemetry devices underneath. These per-site routers are connected to the internet on a variety of ADSL, Fibre+ONT, ethernet methods.
I am configuring them for a "backup route" mechanisms, so that if the main link goes down, they can be connected temporarily to some network supporting DHCP. Then they reconnect and central staff, not on site, can figure out what to do. A critical part of the problem is that the site-visiting person doesn't know how (and isn't permitted) to change the Cisco config.
If it's plugged in and working, we want all traffic to go through isp1. If for some reason that's down, and isp2 is working and up, then use that. There is no load sharing, balancing or anything like that.
In the following image, any packet leaving dialer1 should have dialer1's PPP-assigned address; any packet leaving vlan1000 should have vlan1000's DHCP-assigned address.
isp1 isp2
| |
+----+----------+-----+
| dialer1 vlan1000 | outside
--|----------R8---------|-- NAT
| vlan1 | inside
+---+-----------------+
|
telemetry units
A sample router is configured with
hostname R8
interface Dialer1
description for adsl
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname ...
interface FastEthernet3
switchport access vlan 1000
no ip address
interface Vlan1
description main local address on default vlan
ip address 192.168.8.1 255.255.255.0
ip nat inside
interface Vlan1000
description auto uplink
ip address dhcp
ip nat outside
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 dhcp 10
All that works fine as described: we use dialer1 if it works, else vlan1000 if that works. The vlan1000 / fe3 config is just because the 867VAE doesn't have L3 ethernet ports.
The question is about NAT:
ip nat inside source list NATLIST interface Vlan1000 overload
ip access-list standard NATLIST
permit 192.168.8.0 0.0.0.255
What I'm imagining is
ip nat inside source list NATLIST interface dialer1 overload
ip nat inside source list NATLIST interface Vlan1000 overload
ip access-list standard NATLIST
permit 192.168.8.0 0.0.0.255
But of course you can't have multiple ip nat inside source NATLIST
EDIT: When the second one is added, it replaces the first. Am I missing something?
(Example here using two VLAN interfaces and list 10 per Ron's answer)
gwhqtun1#show run | include nat
ip nat outside
ip nat outside
ip nat inside source list 10 interface Vlan1000 overload
gwhqtun1#conf term
Enter configuration commands, one per line. End with CNTL/Z.
gwhqtun1(config)#ip nat inside source list 10 interface Vlan2000 overload
gwhqtun1(config)#exit
gwhqtun1#show run | include nat
ip nat outside
ip nat outside
ip nat inside source list 10 interface Vlan2000 overload
Cisco IOS Software, C860 Software (C860VAE-ADVSECURITYK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)
Grateful for any suggestions, most especially if I've done something wrong or silly.
Best Answer
In this kind of setup, I always prefer route-map to access-list.
To my best knowledge, you are right that you cannot have multiple following lines. The last line (and only one) you apply will stay:
So the trick is to use different route_map (or access-list) names for differnet nat statements. Here are examples:
I hope it is helpful and you can make it work!