NAT Configuration

NAT Configuration

So far, we have finished the configuration of R-NAT, R1 and R2. Let’s continue and complete the configuration of the remaining devices in our topology (Diagram 1). We’ll start with the ASA configuration.

ASA Configuration

The Cisco Adaptive Security Appliance (ASA) protects the inside network and DMZ. As our guide focuses on a multihoming configuration using BGP, we only cover the basic ASA configuration. It includes the access-lists configuration to allow BGP in all direction. In order to protect the enterprise network from advanced threats, application layer protocol inspection should be configured, in addition to the access-lists configuration.

ASA-1 Configuration

interface GigabitEthernet0/0
 description Link to CE-1
 nameif OUTSIDE
 security-level 0
 ip address 193.0.0.6 255.255.255.252 

interface GigabitEthernet0/1
 description Link to R1
 nameif INSIDE
 security-level 100
 ip address 193.0.0.9 255.255.255.252 

interface GigabitEthernet0/2
 description Link to DMZ
 nameif DMZ   
 security-level 50
 ip address 195.0.1.1 255.255.255.0Б.

Router R1 can initiate a TCP connection to CE-1 (193.0.0.5), destination TCP port 179 since R1 is connected to the interface Gi0/1 of ASA, configured with security level 100. Therefore, R1 can establish an iBGP adjacency with CE-1. However, we need to configure the access-list 1 (ACL1) that allows to initiate a TCP connection from CE-1 (outside) to R1 (inside), with the destination IP address 193.0.0.10 and TCP port 179. As the interface Gi0/0 is configured with a security level 0, we need to add the rule that permits traffic from CE-1 to DMZ router (195.0.1.3), with the destination TCP port 179. The statement permits traffic from the interface Gi0/0 with the security level 0 to the interface Gi0/2 with higher security level – 50. Therefore, CE-1 can initiate a TCP connection to the DMZ router.

access-list ACL1 extended permit tcp host 193.0.0.5 host 193.0.0.10 eq bgp 
access-list ACL1 extended permit tcp host 193.0.0.5 host 195.0.1.3 eq bgp

The ACL1 is applied on the outside interface (Gi0/0) in the inbound direction.

access-group ACL1 in interface OUTSIDE

The ACL2 contains a rule that permits TCP traffic from interface Gi0/2 connected to the DMZ and configured with security level 50, to the interface Gi0/1 with a level 100, destination IP 193.0.0.10 and TCP port 179 (BGP).

access-list ACL2 extended permit tcp host 195.0.1.3 host 193.0.0.10 eq bgp

The ACL2 is applied on the DMZ interface (Gi0/2) in the inbound direction.

access-group ACL2 in interface DMZ

ASA-1 is not participating in OSPF, so we need static routes in order to forward traffic to subnets that are outside the Gi0/1 interface. The subnets are NAT pools 193.0.1.0/24 (ISP-A), 194.0.1.0/24 (ISP-B), and 193.0.0.12/30, all routed via the next-hop IP address 193.0.0.10 (R1). The default route for forwarding outbound traffic to the Internet is configured with the next-hop 193.0.0.5 (CE-1).

route INSIDE 193.0.1.0 255.255.255.0 193.0.0.10
route INSIDE 194.0.1.0 255.255.255.0 193.0.0.10
route INSIDE 193.0.0.12 255.255.255.252 193.0.0.10
route OUTSIDE 0.0.0.0 0.0.0.0 193.0.0.5

ASA-2 Configuration

interface GigabitEthernet0/0
 description Link to CE-2
 nameif OUTSIDE
 security-level 0
 ip address 194.0.0.6 255.255.255.252 

interface GigabitEthernet0/1
 description Link to R2
 nameif INSIDE
 security-level 100
 ip address 194.0.0.9 255.255.255.252 

interface GigabitEthernet0/2
 description Link to DMZ
 nameif DMZ   
 security-level 50
 ip address 195.0.1.2 255.255.255.0

Access-lists configuration is similar to ASA-1. ACL1 permits BGP traffic from the outside BGP peer 194.0.0.5 (CE-1) to the peer 194.0.0.10 (inside) (R2) and to the peer 195.0.1.3 (DMZ) (router DMZ). ACL2 permits BGP traffic from a peer in DMZ interface to the inside R2.

access-list ACL1 extended permit tcp host 194.0.0.5 host 194.0.0.10 eq bgp 
access-list ACL1 extended permit tcp host 194.0.0.5 host 195.0.1.3 eq bgp
access-list ACL2 extended permit tcp host 195.0.1.3 host 194.0.0.10 eq bgp

ACLs are applied in the inbound direction to the outside and DMZ interfaces.

access-group ACL1 in interface OUTSIDE
access-group ACL2 in interface DMZ

We need to configure static routes to reach subnets behind the interface Gi0/1 and a default static route for outgoing traffic to the Internet.

route INSIDE 193.0.1.0 255.255.255.0 194.0.0.10
route INSIDE 194.0.0.12 255.255.255.252 194.0.0.10
route INSIDE 194.0.1.0 255.255.255.0 194.0.0.10
route OUTSIDE 0.0.0.0 0.0.0.0 194.0.0.5

Customer Edge Routers Configuration

CE-1 Configuration

interface GigabitEthernet0/0
 description Link to ISP-A
 ip address 193.0.0.2 255.255.255.252

interface GigabitEthernet0/1
 description Link to ASA-1
 ip address 193.0.0.5 255.255.255.252

CE-1 router is configured as an eBGP peer with the router ISP-A and as an iBGP with routers R1 and DMZ. Only the prefixes 193.0.1.0/24 (NAT pool ISP-A) and 195.0.1.0/24 (DMZ) matched by route-map ADV-TO-ISPA are advertised to ISP-A. The route-map CHECK-ISPA-ROUTE checks if the route 11.0.0.0/16 with the next-hop 193.0.0.1 is available in the routing table of CE-1. If yes, a default route is advertised to the BGP neighbors: R1 (193.0.0.10) and DMZ (195.0.1.3). The default route is then advertised conditionally, based on whether a link between CE-1 and ISP-A is active.

CE-1 receives a full Internet table from ISP-A. The routes are simulated by the prefix 11.0.0.0/16 advertised by ISP-A. However, only a default route is conditionally advertised to R1 and DMZ routers. Therefore, we permit only advertisement of the default route in outgoing direction to R1 and DMZ with distribute-list that refers to access-list 1.

router bgp 64501
 neighbor 193.0.0.1 remote-as 64500
 neighbor 193.0.0.1 route-map ADV-TO-ISPA out
 neighbor 193.0.0.10 remote-as 64501
 neighbor 193.0.0.10 next-hop-self
 neighbor 193.0.0.10 default-originate route-map CHECK-ISPA-ROUTE
 neighbor 193.0.0.10 distribute-list 1 out
 neighbor 195.0.1.3 remote-as 64501
 neighbor 195.0.1.3 next-hop-self
 neighbor 195.0.1.3 default-originate route-map CHECK-ISPA-ROUTE
 neighbor 195.0.1.3 distribute-list 1 out

Static routes to iBGP peers are required because peers are not directly connected.

ip route 193.0.0.8 255.255.255.252 193.0.0.6
ip route 195.0.1.3 255.255.255.255 193.0.0.6

route-map CHECK-ISPA-ROUTE permit 10
 match ip address 20
 match ip next-hop 21

route-map ADV-TO-ISPA permit 10
 match ip address 10 11

access-list 1 permit 0.0.0.0
access-list 10 permit 193.0.1.0 0.0.0.255
access-list 11 permit 195.0.1.0 0.0.0.255
access-list 20 permit 11.0.0.0 0.0.255.255
access-list 21 permit 193.0.0.1

CE-2 Configuration

interface GigabitEthernet0/0
 description Link to ISP-B
 ip address 194.0.0.2 255.255.255.252

interface GigabitEthernet0/1
 description Link to ASA-2
 ip address 194.0.0.5 255.255.255.252

CE-2 is configured as an eBGP peer with ISP-B and as an iBGP peer with routers R2 and DMZ. The prefixes 194.0.1.0/24 (NAT pool ISP-B) and 195.0.1.0/24 (DMZ) are matched by route-map ADV-TO-ISPB and advertised to ISP-B. Default route is advertised conditionally to R2 and DMZ routers based on whether a link between CE-2 and ISP-B is active.

router bgp 64501
 neighbor 194.0.0.1 remote-as 64502
 neighbor 194.0.0.1 route-map ADV-TO-ISPB out
 neighbor 194.0.0.10 remote-as 64501
 neighbor 194.0.0.10 next-hop-self
 neighbor 194.0.0.10 default-originate route-map CHECK-ISPB-ROUTE
 neighbor 194.0.0.10 distribute-list 1 out
 neighbor 195.0.1.3 remote-as 64501
 neighbor 195.0.1.3 next-hop-self
 neighbor 195.0.1.3 default-originate route-map CHECK-ISPB-ROUTE
 neighbor 195.0.1.3 distribute-list 1 out

Static routes to iBGP peers are required because they are not directly connected.

ip route 194.0.0.8 255.255.255.252 194.0.0.6
ip route 195.0.1.3 255.255.255.255 194.0.0.6

route-map CHECK-ISPB-ROUTE permit 10
 match ip address 20
 match ip next-hop 21

Both CE-1 and CE-2 routers advertise DMZ route 195.0.1.0/24 to their respective ISPs. However, incoming traffic to DMZ is forwarded via ISP-A because CE-1 is configured to prepend AS_PATH 64501 three times for the route 195.0.1.0/24 advertised to ISP-B. Therefore, BGP routers select a shorter path via ISP-A for traffic to 195.0.1.0/24.

route-map ADV-TO-ISPB permit 10
 match ip address 10

route-map ADV-TO-ISPB permit 20
 match ip address 11
  set as-path prepend 64501 64501 64501

access-list 1 permit 0.0.0.0
access-list 10 permit 194.0.1.0 0.0.0.255
access-list 11 permit 195.0.1.0 0.0.0.255
access-list 20 permit 12.0.0.0 0.0.255.255
access-list 21 permit 194.0.0.1

ISPs Routers Configuration

ISP-A and ISP-B are configured as eBGP peers with CE-1 and CE-2, respectively. They also peer between themselves. Both ISPs advertise full Internet routing table, simulated by prefixes 11.0.0.0/16 and 12.0.0.0/16.

ISP-A Configuration

interface GigabitEthernet0/0
 description Link to CE-1
 ip address 193.0.0.1 255.255.255.252

interface GigabitEthernet0/1
 description Link to ISP-B
 ip address 196.0.0.1 255.255.255.252

router bgp 64500
 network 11.0.0.0 mask 255.255.0.0
 neighbor 193.0.0.2 remote-as 64501
 neighbor 196.0.0.2 remote-as 64502

BGP will always advertise the network 11.0.0.0/16 because a null route is installed in the routing table of ISP-A.

ip route 11.0.0.0 255.255.0.0 Null0

ISP-B Configuration

interface GigabitEthernet0/0
 description Link to CE-2
 ip address 194.0.0.1 255.255.255.252

interface GigabitEthernet0/1
 description Link to ISP-A
 ip address 196.0.0.2 255.255.255.252

router bgp 64502
 network 12.0.0.0 mask 255.255.0.0
 neighbor 194.0.0.2 remote-as 64501
 neighbor 196.0.0.1 remote-as 64500

BGP will always advertise the network 12.0.0.0/16 because a null route is installed in a routing table of ISP-B.

ip route 12.0.0.0 255.255.0.0 Null0

Multihoming with BGP and NAT – Part 3 >