“nat server“ with 2 ISP on AR router

Created Apr 21, 2013 20:10:06Latest reply Sep 28, 2018 18:47:58 5457 5 0 0

We have network with 2 internet IP provider:

#interface GigabitEthernet0/0/2.3   <---- ISP 1----->
dot1q termination vid 4
 ip address 80.211.123.34 255.255.255.224 
arp broadcast enable
undo ip fast-forwarding enable
 nat server protocol tcp global 80.211.123.37 ftp inside 192.168.0.19 ftp
 nat server protocol tcp global 80.211.123.37 www inside 192.168.0.17 8888
 nat server protocol udp global 80.211.123.37 3055 inside 192.168.0.26 3055
 nat server protocol tcp global 80.211.123.38 443 inside 192.168.0.23 443
 nat server protocol tcp global 80.211.123.38 3283 inside 192.168.0.4 3283
 nat server protocol udp global 80.211.123.38 4500 inside 192.168.0.4 4500
 nat server protocol udp global 80.211.123.38 5353 inside 192.168.0.4 5353
 nat server protocol tcp global 80.211.123.38 5453 inside 192.168.0.4 5453
 nat server protocol tcp global 80.211.123.38 65023 inside 192.168.0.4 22
 nat server protocol tcp global 80.211.123.38 65024 inside 192.168.0.4 5900
 nat server protocol tcp global 80.211.123.38 3389 inside 192.168.1.15 3389
 nat server protocol tcp global 80.211.123.50 1723 inside 192.168.11.189 1723
 nat server protocol tcp global 80.211.123.50 443 inside 192.168.11.189 443
nat server protocol udp global current-interface 10000 inside 192.168.0.8 10000
nat server protocol tcp global current-interface 20 inside 192.168.0.17 20
nat server protocol tcp global current-interface ftp inside 192.168.0.17 ftp
nat server protocol tcp global current-interface 22 inside 192.168.0.9 22
nat server protocol tcp global current-interface smtp inside 192.168.0.9 smtp
nat server protocol tcp global current-interface www inside 192.168.1.22 www
nat server protocol tcp global current-interface pop3 inside 192.168.0.15 pop3
nat server protocol tcp global current-interface 143 inside 192.168.0.15 143
nat server protocol tcp global current-interface 443 inside 192.168.0.15 443
nat server protocol tcp global current-interface 1024 inside 192.168.0.6 22
nat server protocol tcp global current-interface 3389 inside 192.168.0.134 3389
nat server protocol tcp global current-interface 5000 inside 192.168.20.202 4001
nat server protocol tcp global current-interface 10000 inside 192.168.0.8 10000
nat server protocol tcp global current-interface 4443 inside 192.168.0.17 4443
nat server global 80.211.123.51 inside 192.168.19.199
nat server global 80.211.123.35 inside 192.168.0.10
nat server global 80.211.123.36 inside 192.168.0.11
nat outbound 2100

#
interface GigabitEthernet0/0/2.2  <------ISP 2------>
dot1q termination vid 3
 ip address 84.26.134.78 255.255.255.240 
arp broadcast enable
undo ip fast-forwarding enable
nat server protocol tcp global current-interface 3389 inside 192.168.1.6 3389
 nat server protocol tcp global 84.26.134.67 sunrpc inside 192.168.11.22 3389
 nat server global 84.26.134.69 inside 192.168.19.199
nat static enable


Default gateway set to ISP 1.

If i try use port translation, eg i try connect mstsc to 84.26.134.78:3389, connection failed. If i try use translation from ISP 1, OK!.


What to write in config, that port translation work in ISP 2 connection, namely that inbound connection via ISP 2 returning back through a connection without using default gateway?


more detailed scheme the attachment. 

thank you for help! It's very important.

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

StarOfWest  Moderator   Created Apr 22, 2013 16:44:47 Helpful(0) Helpful(0)

I believe that the problem lies in routing table because you have a default route pointing to one gateway.

Maybe you need to add another static route to point second gateway for specific ip destination

 

You might need also to contact TAC about this problem :

http://support.huawei.com/enterprise/NewsReadAction.action?contentId=NEWS1000000563

 

  • x
  • convention:

kkudryavtsev     Created Apr 22, 2013 17:01:22 Helpful(0) Helpful(0)

Reply 2 #

but we don't need route to ISP 2. Because ip packet sometimes will go to ISP 2 on this route.

for example, this trouble in cisco solve via NVI. 

  • x
  • convention:

StarOfWest  Moderator   Created Apr 22, 2013 17:15:03 Helpful(0) Helpful(0)

 

Frankly I’ve never heard about NVI from cisco, but  reading the whitepaper it remind me about a huawei scenario that fits to be used in overlapped vpn scenario. Below is the description, maybe can help you.


 Context

If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT can be configured. The overlapping addresses are replaced with temporary addresses and then translated by NAT so that the internal and external hosts can access each other.

· An overlapping address pool specifies which internal IP addresses can overlap with public IP addresses. Twice NAT is performed only on the addresses in the overlapping address pool.

· A temporary address pool specifies which temporary IP addresses can replace addresses in the overlapping address pool.

Procedure

1. Run:

system-view

The system view is displayed.

2. Run:

nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name ]

The mapping between the overlapping address pool and the temporary address pool is configured.

NOTE:

· A maximum of 255 addresses can be configured in the overlapping address pool and the temporary address pool.

· When the VPN instance specified in the command is deleted, the configuration of twice NAT is also deleted.

 

  • x
  • convention:

kkudryavtsev     Created Apr 22, 2013 17:32:26 Helpful(0) Helpful(0)

Reply 4 #

I tried to write this command. Is correct? 

nat overlap-address 1 84.26.134.74 192.168.0.234 pool-length 1

But it did not help.


and if in GE2.2 interface i wrote 

nat server global 85.26.134.74 inside 192.168.19.199

  • x
  • convention:

faysalji  Novice   Created Sep 28, 2018 18:47:58 Helpful(0) Helpful(0)

Hope your issue was resolved.
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top