NAT not working on IOx on IR809 IOS Version 15.8(3)M4

2425896948 · ‎06-21-2022

I have configured IOS according to :Phase 3 – Configuring Cisco IOS to Enable Access to Cisco IOx - IOx - Document - Cisco DevNet

I connect my computer on G0 and can't ping the IOX guest-os in G2 and can't get into 8443 web page of IOX local manager

here are my configurations:
ip dhcp pool gospool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
domain-name gos.com
dns-server 8.8.8.8
option 42 ip 128.138.140.44
remember
!
ip dhcp pool hostpool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 8.8.8.8
option 42 ip 128.138.140.44
domain-name gos.com
remember

interface GigabitEthernet0
ip address 192.168.10.254 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 enable

interface GigabitEthernet2
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 enable

router rip
version 2
network 192.168.10.0
network 192.168.20.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list NAT_ACL interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.20.1 22 interface GigabitEthernet0 2222
ip nat inside source static tcp 192.168.20.1 8443 interface GigabitEthernet0 8443
!
ip access-list standard NAT_ACL
permit 192.0.0.0 0.255.255.255

However, my host computer (192.168.10.1)can ping G2(192.168.20.254)but not guest-os(192.168.20.1) and I don't know why ,I guess it's because the NAT configuration :

IR800#show ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.10.254:2222 192.168.20.1:22 --- ---
tcp 192.168.10.254:8443 192.168.20.1:8443 --- ---

any advise would be appreciated, thanks!

balaji.bandi · ‎06-21-2022

First i would like to test simple NAT rule example :

ip nat inside source list 1 interface GigabitEthernet0 overload
no ip nat inside source list NAT_ACL interface GigabitEthernet0 overload

no ip access-list standard NAT_ACL

access-list 1 permit 192.168.20.0 0.0.0.255

Since you know the IP address (its not DHCP outside interface you can do as below

no ip nat inside source static tcp 192.168.20.1 22 interface GigabitEthernet0 2222
no ip nat inside source static tcp 192.168.20.1 8443 interface GigabitEthernet0 8443

ip nat inside source static tcp 192.168.20.1 22 192.168.10.254 2222
ip nat inside source static tcp 192.168.20.1 8443 192.168.10.254 8443

Note : we do not know how your network diagram looks like so this is based on the informaiton, there is no routing or static route involved, so you running RIP here- that information we do not have visibility)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

2425896948 · ‎06-21-2022

Thanks a lot for your advice man! But I still can't ping guest-os from my host computer.

For my network diagram, I was supposed to use G0 to connect INTERNET ,G1 for host computer and G2 for guest os.

Now I'm just testing whether I can get into IOX local manager so I connect my host computer on G0.

I have changed my configuration according to your advice, my host computer can ping the gateway of guest os (192.168.20.254) but can't ping guest os itself (192.168.20.1)

Now my NAT configurations is like this:

ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.20.1 22 192.168.10.254 2222 extendable
ip nat inside source static tcp 192.168.20.1 8443 192.168.10.254 8443 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.255

balaji.bandi · ‎06-21-2022

For my network diagram, I was supposed to use G0 to connect INTERNET ,G1 for host computer and G2 for guest os.

as per the information you have posted only 2 interface config, if you looking more help please post complete configuration, your network diagram (where is that ?)

show run

I have changed my configuration according to your advice, my host computer can ping the gateway of guest os (192.168.20.254) but can't ping guest os itself (192.168.20.1)

what is the guest OS, if you are able to ping from host to gateway, that is working, if not able to ping guest OS, then we need to what OS is? that what container?

#show iox host list detail

Follow below guide :

https://developer.cisco.com/docs/iox/#!ir-800-series-platform-information/ir8xx-platforms

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎06-21-2022

ip nat inside source list 1 interface GigabitEthernet0 overload<- this need to delete becuaee there same nat with different list below it.

ip access-list standard NAT_ACL
permit 192.0.0.0 0.255.255.255<- before this you need to deny static nat.(for this point please check below link i attach).

2425896948 · ‎06-21-2022

thanks a lot! But I'm afraid I'm not following you.

could you please be more specific? I'm not really familiar with this.

Now I can ping the G2 interface (192.168.20.254)but can't ping the guest os(192.168.20.1) under it.

MHM Cisco World · ‎06-21-2022

ip nat inside source list 1 interface GigabitEthernet0 overload <- this must delete since you have another overload NAT
ip nat inside source list NAT_ACL interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.20.1 22 interface GigabitEthernet0 2222
ip nat inside source static tcp 192.168.20.1 8443 interface GigabitEthernet0 8443
!
ip access-list extended NAT_ACL
permit ip 192.168.20.0 0.255.255.255 any<-I re-arrange this ACL for NAT

MHM Cisco World · ‎06-21-2022

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html

NAT not working on IOx on IR809 IOS Version 15.8(3)M4

IOS XE version と IOS version の対応について

IE 3300 Version 17.9.4a iox Dockerd

IOS-XE SD-WAN: 再起動時に過去に使用していた Version で Boot する

rip is not working

IOS-XE Router では NAT+HSRP 併用時の注意点について