topic Re: BGP neighbor does not come up when NAT service is enabled in Routing

BGP neighbor does not come up when NAT service is enabled

Donia — Wed, 22 Mar 2023 10:13:41 GMT

Hello,

I am having a problem that BGP when it become down due to any physical issue didn't become up again due to NAT however i can't see any relation as there is no conflict in the Ips used in the ACL with the WAN ip used

however when we added a statement on the ACL to deny the WAN interface to reach any destination BGP become up

so can anyone help me to know why this is happened , below some logs for the used configuration

BTW the router has other customers (Lite VRFs ) and this case didn't appear with any other customer which have the same setup/ configuration

i had changed the below Ips as they are related to the customer. all sequences in the ACL Source / destination don't have the same range of WAN Subnet.

ip nat inside source list PAT_clients pool POOL_clients vrf x match-in-vrf

#sh ip access-lists PAT_clients
Extended IP access list PAT_clients
10 deny ip 57.201.30.50 0.0.0.3 any --------> which i need to add to restore BGP connection
20 permit ip 57.91.16.0 0.0.0.255 any
30 permit ip 57.91.107.0 0.0.0.127 any
40 permit ip 57.39.109.102 0.0.0.63 any

100 permit ip 10.81.205.40 0.0.0.7 any
110 permit ip 10.79.205.152 0.0.0.7 any

360 permit ip any host 176.90.37.101

370 permit ip any host 179.107.30.11
380 permit ip any host 177.19.28.11
390 permit ip any host 172.14.250.11
400 permit ip any host 170.107.100.103

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Wed, 22 Mar 2023 10:19:00 GMT

this can due to PAT change the TCP port use by BGP
so you need static PAT and config Peer with Mapped IP not real IP.

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Wed, 22 Mar 2023 10:48:45 GMT

Re: BGP neighbor does not come up when NAT service is enabled

Donia — Wed, 22 Mar 2023 11:29:50 GMT

Hello,

from your configuration i can see you used port tcp 179 on the nat configuration so how BGP problem will be solved by this way ?

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Wed, 22 Mar 2023 12:04:47 GMT

R1-R2-R3
in R3 I config BGP with R2 not R1 ip (mapped ip not real ip of R1)
in R1 I config BGP with R3
in R2 I config static PAT for TCP=179 port, note the static NAT is bi-directional

that it.
if you have more Q please ask.

Re: BGP neighbor does not come up when NAT service is enabled

paul driver — Wed, 22 Mar 2023 20:43:32 GMT

Hello
In your acl you need to allow bgp protocol through for successful peering
example:
ip access-lists extended PAT_clients
5 permit tcp any eq bgp any
6 permit tcp any any eq bgp

Re: BGP neighbor does not come up when NAT service is enabled

Donia — Fri, 24 Mar 2023 08:15:23 GMT

Hello,

you are configuring NAT Statament from the source IP of R1 with Port 179 which i think can lead to the same problem i have.

MY case Customer LAN will reach the CE and in case they will need to reach specific destination , in this case Natting will be working and traffic will go out with the Natted Ip so it shouldn't have any relation with the Wan BGP

CE------PE --mpls network--PE---LAN Destination that customer need to reach

sorry for asking alot but i still didn't get the problem

Re: BGP neighbor does not come up when NAT service is enabled

Donia — Fri, 24 Mar 2023 09:46:27 GMT

can i understand how the above commands will make the EBGP session won't be down . i am still can't get how the PAT makes ebgp session to be down as PAtting is having condition that ACL must match ( source / destination ) which is different from the WAN subnet and what i understand that WAN subnet shouldn't participate in natting process as traffic will be initiated from inside ( customer LAN ) then will reach CE that will make the translation and will send traffic towards destination which is learnt by BGP.

CE------PE --mpls network--PE---LAN Destination that customer need to reach

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Fri, 24 Mar 2023 15:08:09 GMT

Hi friend
the R4 is CE connect to PE and I config CE with NAT overload toward the link connect CE-PE
the issue not arise until I use LO in CE as update source of BGP and allow this LO to hit the ACL of NAT overload
here the BGP is stop

Re: BGP neighbor does not come up when NAT service is enabled

paul driver — Fri, 24 Mar 2023 19:31:14 GMT

Hello @Donia
Apologies I thought the ACL was applied to a wan interface but its not, its being called by NAT statement!

Now regarding your NAT ACL it should only reference the NAT internal domain (inside) addressing, it should have no reference to any other host/network other then what's originating from that interface so anything else should be removed from the ACL.

Any deny ace within the NAT ACL again will reference hosts/networks orientating from the internal nat domain that you wish NOT to be network translated.

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Fri, 24 Mar 2023 19:37:24 GMT

Friend you have two choose here

1- config static PAT if the bgp only know the mapped ip

As I mention above

2- config deny for bgp traffic to bypass PAT if the know real ip

As @paul driver mention in his post

Re: BGP neighbor does not come up when NAT service is enabled

Donia — Mon, 27 Mar 2023 08:05:20 GMT

Hello,

on the router configuration i'm not using the loopback that used in the NAT statement in the BGP configuration. i just advertise this loopback on PE.

neighbor --- physicalWAN ip--- remote-as x
neighbor --- physicalWAN ip--- activate
neighbor --- physicalWAN ip--- send-community
neighbor --- physicalWAN ip--- route-map BGP-TAG out

i know it is normal in case we used the loopback as the source LO on the BGP as it will impact the neighborship but in my case i can't see any relation between NAT / BGP.

Re: BGP neighbor does not come up when NAT service is enabled

MHM Cisco World — Mon, 27 Mar 2023 10:45:58 GMT

OK,
can you check
show ip nat translation
check in entry if there is TCP port 179 or not
can you share this after hidden public IP