Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4926
Views
10
Helpful
7
Replies

9K Nexus Switch Configuration HELP!

Go to solution
mmcfarland727
Level 1
Level 1

‎01-05-2021 08:26 AM

Hi,

 

I need to apply a NAT configuration for an individual internal IP to be NATed to another internal IP, that is connected to a third party firewall that is situated in our DMZ. The TP firewall in the DMZ is expecting traffic from a specific IP within the subnet that is connected to TP firewall. The server that is in the internal LAN is using the IP 10.4.2.220 and it needs to NAT to 10.170.2.53 when sending traffic to the TP firewall. Please see the diagram attached.

 

I have never used NAT before on the nexus switches so i am a bit unsure if the following config will work. Please can someone verify if the following is correct?

 

int vlan 170

ip nat outside

!
int vlan 2

ip nat inside

!

ip nat inside source static 10.4.2.220 10.170.2.53

 

Any help would be appreciated, thanks.

Preview file
111 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎01-05-2021 09:30 AM

Hi @mmcfarland727 

Yes, the configuration is good. You are basically translating inside local to inside global. It should work.

One thing you need to add according to config guide:

"If the translated IP is part of the outside interface subnet, then use the ip proxy-arp command on the NAT outside interface"

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

 

Stay safe,

Sergiu

 

View solution in original post

7 Replies 7

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎01-05-2021 09:30 AM

Hi @mmcfarland727 

Yes, the configuration is good. You are basically translating inside local to inside global. It should work.

One thing you need to add according to config guide:

"If the translated IP is part of the outside interface subnet, then use the ip proxy-arp command on the NAT outside interface"

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

 

Stay safe,

Sergiu

 

Go to solution
mmcfarland727
Level 1
Level 1

‎01-06-2021 12:27 AM

Hi Sergiu,

 

Thank you for your reply.

 

So, when traffic is destined from Server A to TP firewall it will NAT to 10.170.2.53. Any other traffic that server A transmits will not get NATed as long as it doesn't traverse vlan 170 outbound?

 

Also will no other IP in vlan 2 be NATEd as we have specified only 10.4.2.220 to be? It sounds obvious but i just want to confirm?

 

Thanks,

 

 

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to mmcfarland727

‎01-06-2021 01:09 AM

Yes and Yes.

 

Cheers,

Sergiu

Go to solution
mmcfarland727
Level 1
Level 1

‎01-06-2021 01:39 AM

Thank you Sergiu, i really appreciate your input.

 

I get the following message when attempting to configure NAT on the relevant interface:

ERROR: NAT configuration Failed: aclqos: TCAM region is not configured. Please configure TCAM region and retry the command (err_id 0x410400C5)

 

It appears I have to allocate a TCAM region for NAT which also requires a reboot.

 

Once i have scheduled a maintenance window and configured the TCAM region, i will let you know how the NAT config goes.

 

Thanks again.

 

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎01-06-2021 02:04 PM

That's true. You receive the error because by default no TCAM entries are allocated for the NAT feature.You'll need to adjust the TCAM (hardware access-list tcam region nat size).


Looking forward for the results of the config


Take care,

Sergiu

0 Helpful

Go to solution
mmcfarland727
Level 1
Level 1

‎02-18-2021 12:58 PM

Hi Sergiu,

 

Apologies for the late response, i have only just been able to reboot the network and get NAT enabled.

 

Unfortunately the NAT configuration has not worked, it doesn't appear to be NATing the relevant IP.

I have added the IP Proxy-arp command to the outside interface.

 

Any suggestions would be appreciated?

 

Thanks,

 

Mark

 

 

0 Helpful

Go to solution
mmcfarland727
Level 1
Level 1

‎02-19-2021 05:21 AM

Hi Sergiu,

 

The NAT configuration did work!!

 

The third party we are connecting to have confirmed they can see the relevant packets from the correct IP. When connecting to the URL i was getting a 404 error and thought it hadnt worked, but the TP have confirmed thats what is expected.

 

So thank you for taking the time to reply and help me with this configuration.

 

Much appreciated.

 

Thanks,

 

Mark

0 Helpful
Customers Also Viewed These Support Documents