10-04-2018 01:53 PM - edited 03-12-2019 07:25 AM
Hello,
I have a Cisco CSR instance that has the following configured:
> Two SVTI tunnels that point to interface, Gigabit1
> Both the VTIs are "inside" NAT interfaces
> Gigabit1 is an "outside" NAT interface
> Route: ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.31.96.1
This configuration works as expected. It NATs all requests coming through the VTI to the Gigabit1 IP as it leaves the CSR.
However, since I have only 1 outside NAT interface, my NAT ports are limited to 65k. I expect much more traffic through the SVTIs and therefore would like to double the number of available NAT ports.
How do I do that? I tried using a NAT pool (with 2 random private IPs) and was able to see the pool IPs in "sh ip nat translations" when I did a curl to a public service from the remote host. But the remote host did not get any response and the curl request timed out.
Any help/advice is appreciated.
Current config:
interface Tunnel5
ip address 169.254.47.6 255.255.255.252
ip nat inside
ip tcp adjust-mss 1379
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 34.198.115.214
tunnel protection ipsec profile ipsec-vpn-097566dab48a2cb79-0
ip virtual-reassembly
!
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip flow monitor PUBLIC_GigabitEthernet_Monitor input
ip flow monitor PUBLIC_GigabitEthernet_Monitor output
ip address 172.31.107.230 255.255.240.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
!
router bgp 65001
bgp log-neighbor-changes
neighbor 169.254.47.5 remote-as 7224
neighbor 169.254.47.5 timers 10 30 30
!
address-family ipv4
network 0.0.0.0
neighbor 169.254.47.5 activate
neighbor 169.254.47.5 default-originate
neighbor 169.254.47.5 soft-reconfiguration inbound
exit-address-family
!
!
ip nat pool nat-pool 172.31.96.2 172.31.96.2 prefix-length 20
ip nat inside source list GS_NAT_ACL pool nat-pool overload
ip nat inside source list IP_Whitelist pool nat-pool overload
ip nat outside source static 18.214.135.244 207.171.165.150
ip nat outside source static 18.233.218.226 207.171.165.149
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.31.96.1
!
ip access-list extended IP_Whitelist
permit ip any host 18.204.60.31
ip access-list standard GS_NAT_ACL
permit 192.0.0.0 0.255.255.255
permit 10.0.0.0 0.0.255.255
!
Output of “sh ip route”:
Gateway of last resort is 172.31.96.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.31.96.1, GigabitEthernet1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B 10.0.0.0/16 [20/100] via 169.254.47.5, 00:25:22
169.254.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 169.254.47.4/30 is directly connected, Tunnel5
L 169.254.47.6/32 is directly connected, Tunnel5
172.31.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.31.96.0/20 is directly connected, GigabitEthernet1
L 172.31.96.2/32 is directly connected, GigabitEthernet1
L 172.31.107.230/32 is directly connected, GigabitEthernet1
192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.35.0/24 is directly connected, VirtualPortGroup0
L 192.168.35.1/32 is directly connected, VirtualPortGroup0
Output of “sh ip nat translations”:
Pro Inside global Inside local Outside local Outside global
--- --- --- 207.171.165.150 18.214.135.244
--- --- --- 207.171.165.149 18.233.218.226
tcp 172.31.96.2:516 10.0.185.235:23 156.194.177.198:23392 156.194.177.198:23392
tcp 172.31.96.2:8088 10.0.185.235:8088 94.177.247.154:57956 94.177.247.154:57956
udp 172.31.96.2:512 10.0.185.235:123 74.82.59.149:123 74.82.59.149:123
udp 172.31.96.2:512 10.0.185.235:123 74.122.204.3:123 74.122.204.3:123
tcp 172.31.96.2:517 10.0.185.235:143 122.228.10.51:34429 122.228.10.51:34429
tcp 172.31.96.2:52678 10.0.185.235:52678 18.204.60.31:80 18.204.60.31:80
tcp 172.31.96.2:515 10.0.185.235:22 185.143.223.202:56029 185.143.223.202:56029
tcp 172.31.96.2:14009 10.0.185.235:14009 5.101.40.252:40474 5.101.40.252:40474
tcp 172.31.96.2:8088 10.0.185.235:8088 205.185.122.121:49583 205.185.122.121:49583
udp 172.31.96.2:512 10.0.185.235:123 184.105.182.16:123 184.105.182.16:123
Total number of translations: 12
Thanks,
Juliet
10-04-2018 06:49 PM - edited 10-04-2018 06:57 PM
You have To use some of the public IP addresses on the outside interface.
I believe this will fix the issue.
Please mark helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide