This is for the more hard core Cisco IOS users:
With multi-homed BGP you can let your router failover internet service providers. You can track their availability with SLA, or simply let BGP do its thing. The thing that had my noodle cooked however was.. IF my router decides to route to the Internet via another ISP router.. How do I make the NAT failover to the new interface interface without manual intervention? Simply creating 2 NAT statements and hoping that IOS will pick the right one will not work.
For this scenario, there is that wonderful glue technology “route-maps” that allow you to break every rule in the book. In the next configuration I am not going to abbreviate with tedious pictures and BGP or NAT commands, (I send send them to you if you want but it’s a standard setup) instead I am just going to focus on: How do I failover NAT?!
The interfaces on my Border router:
interface Ethernet0/1
description link to ISP1
ip address 209.165.200.5 255.255.255.248
ip nat outside
!
interface Ethernet0/2
description link to ISP2
ip address 209.165.201.5 255.255.255.248
ip nat outside
And the internal address:
interface Ethernet0/0
description link to DSW
ip address 10.1.0.7 255.255.255.0
ip nat inside
The BGP configuration to the ISPs:
router bgp 65000
bgp log-neighbor-changes
neighbor 209.165.200.6 remote-as 65111
neighbor 209.165.201.6 remote-as 65222
(note : the BGP routers inject a default-route with “default-information originate”)
And now.. for the NAT part, first the obligatory ACL:
ip access-list standard nat-acl
permit 10.0.10.0 0.0.0.255
permit 10.0.20.0 0.0.0.255
permit 10.0.30.0 0.0.0.255
The overload statements.. with a twist:
ip nat inside source route-map ISP1 interface Ethernet0/1 overload
ip nat inside source route-map ISP2 interface Ethernet0/2 overload
And the Magic at work:
route-map ISP2 permit 10
match ip address nat-acl
match interface Ethernet0/2
!
route-map ISP1 permit 10
match ip address nat-acl
match interface Ethernet0/1
So… if my router prefers the E0/1 interface for default routing (towards IPS1), the route-map ISP1 matches in the NAT statement and that will activate the NAT configuration.
IF however my routers prefers the E0/2 interface (maybe ISP1 is unreachable), it will failover to the seconds NAT statement. Works like a charm!
Credit is due to this webpage, where I got the idea from!
Dual Internet connections in active/standby mode without BGP
