I have a router with 2 ISPs, one primary ISP and if it goes down using IPSLA / Tracking, the route changes over to the backup (satelite). There's a bunch of NAT statements on the primary ISP that map ports on outside to inside server but when it fails over, I just want outbound internet to work until the primary ISP comes back up.
That function above works but now I have added some dot1Q sub-interfaces on the inside, one for Guest WIFI which is ACL blocked from the other network (allowing the DNS servers only), one for security cameras, a testing subnet for misc future needs, a VoIP subnet, etc... these new sub-interface setup seems to be working in that all sub-interface networks can get out via NAT - but aren't reliably talking internally between each other. E.g. 192.168.18.x/24 works but if I try to get to a security camera subnet 192.168.2.x/24, I'm getting limited traffic through - about 1-4% of PINGs work, but not 96+% of them... on all of them, some with no ACLs on the sub-interface.
So, not wanting to have to clean up a whole config of specific info and post it for help, I do want to learn to troubleshoot this myself... I am looking for debug assistance.
I have found that the way IOS handles routing with NAT is that: "Q. Does NAT occur before or after routing? A. The order in which the transactions are processed using NAT is based on whether a packet is going from the inside network to the outside network or from the outside network to the inside network. Inside to outside translation occurs after routing, and outside to inside translation occurs before routing. Refer to NAT Order of Operation for more information." (Source: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html)
So I expect that my locally connected networks should route before looking at NAT statements, right? With the presumption that my statement is correct, and realizing that "show ip route" shows me locally connected routes that should be routing traffic, I am thinking that it's probably NAT that is muddying the waters here - is there a command that can show me not just the whole routing table but what decisions, including NAT and ACLs, the router will make to take from subnet X to reach destination Y? What debug commands can I use to help here? "debug ip routing" didn't help as I expect that is about routing protocols, not routing decisions... showing NAT translations is a HUGE table, and not sure it helps compare NAT to routing and leaves out ACLs... right?
Thanks in advance and to clarify - I'm basically looking for guidance on what to look at to understand how to fix my own issue... I don't want to be one of those "here's my whole config, what did I miss" types... :-)
No comments:
Post a Comment