NAT FAIL-OVER USING TWO ISPs

TASK-3
NAT FAIL-OVER WITH TWO ISP

SUBMITTED TO: MR. UMAIR KAZIM

SUBMITTED BY: SYED RAWAIM ZAFAR
DESIGNATION: TAC ENGINEER LEVEL-1

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

TABLE OF CONTENTS

INTRODUCTION .......................................................................................................................... 3
PROBLEM STATEMENT ............................................................................................................. 3
NETWORK ADDRESS TRANSLATION(NAT) ......................................................................... 3
TYPES OF NAT ............................................................................................................................. 3
I. STATIC NAT ...................................................................................................................... 4
II. DYNAMIC NAT ................................................................................................................. 4
III. NAT OVERLOAD (PAT) ............................................................................................... 4
1. IMPLEMENTATION IN SCENARIO ................................................................................... 4
ROUTE MAP.................................................................................................................................. 4
ACCESS CONTROL LIST (ACL) ................................................................................................ 5
TYPES OF ACL ............................................................................................................................. 5
I. Standard Access-list ................................................................................................................ 5
II. Extended Access-list................................................................................................................ 5
INTERNET SERVICE PROVIDER (ISP) ..................................................................................... 5
ROUTING PROTOCOLS .............................................................................................................. 6
STATIC ROUTING .................................................................................................................... 6
1. IMPLEMENTATION IN SCENARIO ................................................................................... 6
IP_SLA ........................................................................................................................................... 6
1. IMPLEMENTATION IN SCENARIO ................................................................................... 7
NETWORK TOPOLOGY .............................................................................................................. 7
METHOD AND PROCEDURE ..................................................................................................... 7
1. NETWORK SETUP ................................................................................................................ 7

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

INTRODUCTION
Main objective of this lab is to achieve NAT failover using dual ISPs. NAT is configured on a
router which is connecting multiple networks together, while purpose of having dual ISP is a
redundancy feature used by organizations to stay connected when either of a connection fails and
run operations smoothly. NAT enables private IP networks that use unregistered IP addresses to
connect to the Internet, suppose we are having two ISP that is Nayatel as primary and Wateen as
backup providing services to an organization i.e. SBP, furthermore on SBP there is NAT
configured particularly for each ISP, the main goal is to achieve NAT failover if either of the
connection fails. In detailed description of the scenario is defined in this report.
PROBLEM STATEMENT
It’s not possible to have a globally unique IP address for every device connected to internet, for
this purpose, hence there are many ways to conserve IP addresses i.e. IPV6, CIDR, NAT, IPV6 is
long term solution, but not globally implemented and still many of the devices doesn’t support
IPV6, hence NATing technique can be used to achieve the goal, NAT can be configured to
advertise only one address for the entire network to the outside world. This provides additional
security by effectively hiding the entire internal network behind that address. NAT offers the dual
functions of security and address conservation and is typically implemented in remote-access
environments.
NETWORK ADDRESS TRANSLATION(NAT)
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique)
addresses in the internal network into legal addresses, before packets are forwarded to another
network.

As part of this capability, NAT can be configured to advertise only one address for the entire
network to the outside world. This provides additional security by effectively hiding the entire
internal network behind that address. NAT offers the dual functions of security and address
conservation and is typically implemented in remote-access environments.

TYPES OF NAT
Following are different types of NAT,

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

I. STATIC NAT
Static NAT (Network Address Translation) is one-to-one mapping of a private IP
address to a public IP address. Static NAT (Network Address Translation) is useful
when a network device inside a private network needs to be accessible from
internet.

II. DYNAMIC NAT

Dynamic NAT can be defined as mapping of a private IP address to a public IP
address from a group of public IP addresses called as NAT pool. Dynamic NAT
establishes a one-to-one mapping between a private IP address to a public IP
address. Here the public IP address is taken from the pool of IP addresses
configured on the end NAT router. The public to private mapping may vary based
on the available public IP address in NAT pool.

III. NAT OVERLOAD (PAT)

Port Address Translation (PAT) is another type of dynamic NAT which can map
multiple private IP addresses to a single public IP address by using a technology
known as Port Address Translation. When a client from inside network
communicate to a host in the internet, the router changes the source port (TCP or
UDP) number with another port number. These port mappings are kept in a table.
When the router receives from internet, it will refer the table which keep the port
mappings and forward the data packet to the original sender.

1. IMPLEMENTATION IN SCENARIO
In this scenario port address translation i.e. NAT overload is used, for binding a single global
address to multiple private IP addresses, it changes the source port that is TCP, UDP, ICMP etc.
the port mappings can be seen in the NAT translations table.

ROUTE MAP
The route maps are like the duct tape for a network. It is not important because it can be used to
mend or fix something broken, however, it can be applied to the numerous situation to overtake
many issues. One of the main purpose of the route map in the Cisco router is the customize
traffic management beyond the routing tables boundaries. The route maps are mostly used when

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

distributing the routes into the RIP, EIGRP or OSPF routing process. It is also used while
generating the default route into the OSPF routing process. The route map also defines which of
the routes from a specified routing protocol that are allowed to be redistributed into a target
routing process.

ACCESS CONTROL LIST (ACL)

Access control lists (ACLs) perform packet filtering to control the movement of packets through
a network. Packet filtering provides security by limiting the access of traffic into a network,
restricting user and device access to a network, and preventing traffic from leaving a network. IP
access lists reduce the chance of spoofing and denial-of-service attacks, and allow dynamic,
temporary user-access through a firewall. IP access lists can also be used for purposes other than
security, such as to control bandwidth, restrict the content of routing updates, redistribute routes,
trigger dial-on-demand (DDR) calls, limit debug output, and identify or classify traffic for
quality of service (QoS) features.

TYPES OF ACL
There are two main different types of Access-list namely:

I. Standard Access-list
These are the Access-list which are made using the source IP address only. These ACLs
permit or deny the entire protocol suite. They don’t distinguish between the IP traffic
such as TCP, UDP, Https etc. By using numbers 1-99 or 1300-1999, router will
understand it as a standard ACL and the specified address as source IP address.

II. Extended Access-list

These are the ACL which uses both source and destination IP address. In these type of
ACL, we can also mention which IP traffic should be allowed or denied. These use range
100-199 and 2000-2699.

INTERNET SERVICE PROVIDER (ISP)

An Internet service provider (ISP) is an organization that provides services for accessing, using,
or participating in the Internet. Internet service providers may be organized in various forms, such
as commercial, community-owned, non-profit, or otherwise privately owned. Internet services

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

typically provided by ISPs include Internet access, Internet transit, domain name registration, web
hosting, Usenet service, and colocation.

ROUTING PROTOCOLS
A routing protocol uses software and routing algorithms to determine optimal network data
transfer and communication paths between network nodes. Routing
protocols facilitate router communication and overall network topology understanding. Some of
the most common routing protocols include RIP, IGRP, EIGRP, OSPF and BGP. There are two
primary routing protocol types i.e. Link state and distance vector although many different routing
protocols defined with these two.

STATIC ROUTING
Static routing is a form of routing that occurs when a router uses a manually-configured routing
entry, rather than information from a dynamic routing traffic. Furthermore, static routing technique
is suitable for smaller networks.

1. IMPLEMENTATION IN SCENARIO
In this scenario static routing is used to configure routing map manually, while configuring
routing map one route is configured with higher administrative distance (AD) in order to
make it backup ISP, this makes the router capable of making decision about which link is
primary and which one is backup.

IP_SLA
IP SLA (Internet protocol service level agreement) is a feature of the Cisco Internetwork Operating
System (Cisco IOS) that allows an IT professional to collect information about network
performance in real time. Cisco IOS IP SLAs continuously collect data about network. This not
only provides the network administrator with baseline information about network performance, it
also helps the administrator to verify Quality of Service (QoS) levels and quickly identify the root
of a problem if performance levels drop. IP SLAs are especially useful for wide area networks
(WANs) that connect multiple geographies and needs to be monitored from one central location.

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

1. IMPLEMENTATION IN SCENARIO
In this scenario IP SLA is used make the connection more reliable, but why its
implemented? Static routing with variation between Administrative Distances can
accomplish the objective but if organization’s own interface it will do a failover, for
overcoming this IP-SLA is used in which interface of organization’s router is source
interface which is tracking primary ISP’s router interface using ICMP echo operation with
some parameters i.e. threshold, timeout and frequency, setup to make reliable failover
decision (parameters elaborated in working and methodology).

NETWORK TOPOLOGY

METHOD AND PROCEDURE

The detailed description about methodology and procedure of above topology is as follows,

1. NETWORK SETUP
First of all, place an organization i.e. SBP router connect it routers of ISP’s that is
Nayatel and WATEEN followed by an internet router connected to both ISP.
Configure IP addresses to each interface and set line protocol to UP.
While assigning IP addresses to SBP router interfaces, run the command “IP NAT
outside/inside”.
Configure IP_SLA.
Configure static routes to SBP, Nayatel, WATEEN and Internet router.
SBP router’s static routes are configured while keeping one route’s AD value
higher than other one. Link with higher AD will become backup link.

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

Access list is configured at SBP router to allow traffic from internal network to
outside network
Configure route map for each ISP that is Nayatel and Wateen.

SBP Router Running Configuration

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

Ping and Trace from VPC-1 to VPC_Internet via Primary Isp(Nayatel)

IP NAT Translations

Ping and Trace from VPC-1 to VPC_Internet after Fail-over

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar

NAT FAIL-OVER USING TWO ISPs

IP NAT Translations After Failover

CYBERNET INTERNET SERVICES PVT LTD. Syed Rawaim Zafar