Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

Ashhad Hussain · ‎09-23-2019

can anyone suggest me the best method of NAT on PE ASBR router before sending the customer traffic to any CSP if CSP is advising that they only receive public IP.

I have a solution but some discrepancies are there. like when the customer is using any random public IP or registered public for the branch to branch communication for any reason then their branch to branch communication will be impacted.

and again if the customer is advertising any default route and destination is supposed to be public address then the source will be natted which will not be expected.

attached diagram is self-explanatory.

any good suggestion.

manmp · ‎09-25-2019

Hi Ashhad,

I think what you need is Destination Based NAT. You haven't mentioned the router model, but I guess most should support it.

It is already addressed here:

https://community.cisco.com/t5/firewalls/destination-based-nat/td-p/3084550

Regards

Manjunath M P

Ashhad Hussain · ‎09-25-2019

Ashhad Hussain · ‎09-25-2019

i agree with your suggestion but the issue is we can not make is destination based NAT.

The reason is we dont know the destination and even though we somehow manged to know then we would need to update the destination route after every month or 6 month since destination is not fixed we receive updated destination every time.

manmp · ‎09-26-2019

Okay understood. Is it possible to then mark all your ingress interfaces as 'ip nat inside' and the outgoing interface towards CSP as 'ip nat outside', so only traffic going out the CSP interface will be nat'ed and your internal traffic won't be NAT'ed

Regards

Manjunath M P

Ashhad Hussain · ‎09-26-2019

Since it is done on dataplane , i cam match src ip , dest ip, port , dscp but we have restriction that we can not match dscp & port.

And the ingress interface is mpls so whatever the traffic is hitting nat inside filter it will nat all the traffic including the traffic destined for colocated also...