NAT with two outside interfaces

If you are connected to two ISPs and looking to use NAT, you might have discovered that with the “ip nat inside source” command you can only specify one outgoing interface. Since you have two outgoing interfaces, you’ll need to use a route-map to get this working. I will show you how to do this using the following topology:

Above we have a ‘host’ router that will be our client on the internal network. NAT is of course our NAT/PAT router and on the right we have two ISPs.

Configuration

Let’s configure the host first:

Host(config)#no ip routing 
Host(config)#ip default-gateway 192.168.12.2

First I will disable ip routing so it becomes an ordinary host device. We’ll configure the NAT router as the default gateway. Now we can configure the NAT router:

NAT(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.3
NAT(config)#ip route 0.0.0.0 0.0.0.0 192.168.24.4

I will create two equal static routes, one for ISP1 and another one for ISP2. This allows us to do load balancing.

To make your default routes reliable, I can highly recommend you to configure object tracking and IP SLA.

These two static routes will allow us to perform load-balancing:

NAT#show ip route static 
S*   0.0.0.0/0 [1/0] via 192.168.24.4
               [1/0] via 192.168.23.3

With our routing operational, we can continue to configure NAT. First I’ll configure the correct inside and outside interfaces:

NAT(config)#interface fastEthernet 0/0
NAT(config-if)#ip nat inside

NAT(config)#interface fastEthernet 0/1
NAT(config-if)#ip nat outside            

NAT(config)#interface fastEthernet 1/0
NAT(config-if)#ip nat outside

Next step is to configure an access-list to determine what hosts should be NATed. I’ll make sure that the entire 192.168.12.0/24 will be translated:

NAT(config)#access-list 1 permit 192.168.12.0 0.0.0.255

Now we can create the NAT rules and route-maps:

NAT(config)#ip nat inside source route-map ISP1 int fa 0/1 overload  
NAT(config)#ip nat inside source route-map ISP2 int fa 1/0 overload 

NAT(config)#route-map ISP1 permit 10
NAT(config-route-map)#match ip address 1
NAT(config-route-map)#match interface fastEthernet 0/1

NAT(config)#route-map ISP2 permit 10
NAT(config-route-map)#match ip address 1
NAT(config-route-map)#match interface fastEthernet 1/0

For each ISP we have a route-map. When you match the access-list and the correct outgoing interface then it will be translated to the IP address of the correct outgoing interface.

Verification

To see if it’s working we’ll generate some traffic on the host. I will enable debugging on the ISPs so that we can see what is going on realtime:

ISP1#debug ip packet 
IP packet debugging is on

ISP2#debug ip packet 
IP packet debugging is on

Now let’s send some pings:

Host#ping 2.2.2.2    

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.U.U.
Success rate is 0 percent (0/5)

The IP address that I’m pinging doesn’t exist but it will end up at one of the ISPs because of the default routes on the NAT router. We can verify that the packets made it to ISP1 and have been translated:

ISP1#
IP: s=192.168.23.2 (FastEthernet0/0), d=2.2.2.2, len 100, unroutable
IP: tableid=0, s=192.168.23.3 (local), d=192.168.23.2 (FastEthernet0/0), routed via FIB

As you can see above ISP1 received IP packets with from IP address 192.168.23.2. Let’s send some more pings so ISP2 also receives some traffic:

Host#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

ISP2#
IP: s=192.168.24.2 (FastEthernet0/0), d=3.3.3.3, len 100, unroutable
IP: tableid=0, s=192.168.24.4 (local), d=192.168.24.2 (FastEthernet0/0), routed via FIB

And ISP2 receives traffic from IP address 192.168.24.2. It’s even better to check the NAT translation table on our NAT router:

NAT#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.23.2:5    192.168.12.1:5     2.2.2.2:5          2.2.2.2:5
icmp 192.168.24.2:6    192.168.12.1:6     3.3.3.3:6          3.3.3.3:6

Above you can see that traffic towards ISP1 has been translated to 192.168.23.2 and traffic towards ISP2 has been translated to 192.168.24.2.

hostname Host
!
no ip routing
!
no ip cef
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
ip default-gateway 192.168.12.2
!
end

hostname ISP1
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
end

hostname ISP2
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.24.4 255.255.255.0
!
end

hostname NAT
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet1/0
 ip address 192.168.24.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.23.3
ip route 0.0.0.0 0.0.0.0 192.168.24.3
!
access-list 1 permit 192.168.12.0 0.0.0.255
!
route-map ISP2 permit 10
 match ip address 1
 match interface fastEthernet 1/0
!
route-map ISP1 permit 10
 match ip address 1
 match interface FastEthernet0/1
!
end

That’s all I wanted to show you, I hope this has been helpful to you to configure NAT with two outside interfaces. If you have any questions feel free to ask!