We got a T3 line installed a few weeks ago to channel our MPLS traffic from our corporate office and all our outgoing internet traffic. The setup is kind of complicated and backwards.

We have an ASA 5510 running that I upgraded from a PIX box. We have a device from FatPipeInc that pretty much multi homes us. Last but not least, we have a new 3845 with the T3 channel card for the new connection.

Well our ISP engineer jumps on the router just to take a last look at our IP setups. With the T3 and the separation of traffic being split into sub-interfaces like in Frame-Relay they wanted to make sure we had the proper IP’s. Everything is setup correctly, IP’s are good. So I decide to double check the routing. Our default route normally would be to the ASA box to pipe all internet traffic. I use a few static routes to route traffic to the remote locations. The corporate office is the main hub for everything. So it hits me if I set the default route to the ASA Box, I will just create a routing loop. The problem of running one router for MPLS and internet traffic I guess. Internet traffic will come from the 3845 to the ASA box to the FatPipe and than to the 3845 again where it will send it back to the ASA box. Following me ? No, I lost myself as well.

3845 (not MPLS traffic) –> ASA 5510 –> FatPipe –> 3845 to go out the internet sub-interface.

Then the solution just hit me, just use a route map on the 3845 telling it any traffic coming from the Fatpipe to set the Next Hop to the interface IP of the ISP router connected to our internet side of the T3 line.

access-list 101 permit ip host x.x.x.x any (hoping I would put in our ip’s weren’t you?)

route-map internet permit 101
match ip address 101
set ip next-hop x.x.x.x

So I setup the route map quick and easy. We fire up the T3 line and just as I hoped, the internet traffic is going out the internet sub-interface and the MPLS traffic is going out the MPLS sub-interface. All because of a simple routing map….. Made life a little easier that day.

I know some people are going to say why not just let the traffic leave the 3845 instead of going back to the ASA box? We have the web filtering module turned on, if the traffic goes out the 3845 from the start we can’t do the web filtering. You would be amazed at what nurses look at on the internet…

Only thing left to look at is using some QOS to limit the bandwidth going out of the internet sub-interface. Right now we have a full 24 megs total for the line and we aren’t close to using it all. Again though nurses…

“Takeaway: Network address translation (NAT) has become one of the key components of today’s corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system.

Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we’re going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).

Understanding NAT
Using NAT to connect to the Internet allows you to:

  • Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
  • Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
  • Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.

The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:

  • Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).
  • Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
  • Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
  • Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).”

You can read the rest of the article here Set up NAT using the Cisco IOS