Solved: Re: Need a TCL / EEM script to change a port forwarding entry

Stephanie Tingey · ‎10-15-2021

Hey,

I need a bit of help.

I need to set up a remote access port forward to a machine existing in a vrf.

Because it's in a vrf I cannot use the interface command, I can only specify the wan IP. I have no option for a static IP so i need a script or an EEM to change the wan ip when it changes.

My outside interface is dialer1

here's what the line looks like now...

ip nat inside source static tcp 172.16.66.2 3389 x.x.x.x 3389 vrf WORK extendable

ip nat inside source static udp 172.16.66.2 3389 x.x.x.x 3389 vrf WORK extendable

I've verified it works with the wan IP, so now i just need a script that pulls the IP off of Dialer1, and changes those two lines to match the IP.

I'm not really a programmer and i can't find a simple enough example on the internet.

Thanks to anyone who can help!

Dan Frey · ‎10-17-2021

Trying using this EEM policy. Its setup to run manually for testing and you will need to put it on a watchdog or cron timer to run every so often. Also change the interface name and IP addresses as I did not have a dialer to test. Its not destructive if the IP does not change and only clears the NAT table and writes new entries if the IP address changes on the interface.

event manager applet test
 event none
 action 010 cli command "enable"
 action 020 cli command "show interfaces gig1 | include Internet address "
 action 030 regexp "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_cli_result" match IP
 action 040 puts "internet address = $IP"
 action 050 cli command "show run | inc ^ip nat inside source static tcp 10.0.1.50"
 action 060 regexp "ip nat inside source static tcp 10.0.1.50 22 ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_cli_result" match oldIP
 action 065 puts "old IP = $oldIP"
 action 067 cli command "config t"
 action 070 if $oldIP eq "$IP"
 action 080  puts "IP did not change.  exiting"
 action 090  exit
 action 100 else
 action 105  puts "IP have changed from $oldIP to $IP.  Clearing NAT table and writing new NAT entries"
 action 110  cli command "do clear ip nat translation vrf WORK *"
 action 120  cli command "no ip nat inside source static udp 10.0.1.50 22 $oldIP 2022 vrf WORK extendable"
 action 130  cli command "no ip nat inside source static tcp 10.0.1.50 22 $oldIP 2022 vrf WORK extendable"
 action 140  cli command "ip nat inside source static tcp 10.0.1.50 22 $IP 2022 vrf WORK extendable"
 action 150  cli command "ip nat inside source static udp 10.0.1.50 22 $IP 2022 vrf WORK extendable"
 action 160 end

lab-csr1#event manager run test
internet address = 10.34.43.3
old IP = 10.34.43.3
IP did not change.  exiting

change IP on gig1 for testing

lab-csr1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab-csr1(config)#int gig1
lab-csr1(config-if)#ip add 10.53.43.2 255.255.255.0
lab-csr1(config-if)#end
lab-csr1#
lab-csr1#event manager run test
internet address = 10.53.43.2
old IP = 10.34.43.3
IP have changed from 10.34.43.3 to 10.53.43.2.  Clearing NAT table and writing new NAT entries

View solution in original post

balaji.bandi · ‎10-15-2021

why not use an interface instead of IP example : (do you see any issues ?)

ip nat inside source static tcp 172.16.66.2 3389 interface dialer1 3389 vrf WORK extendable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Stephanie Tingey · ‎10-15-2021

As i stated above, you cannot specify a vrf if you use the interface option in the line..

ip nat inside source static tcp 172.16.66.2 3389 interface dialer1 ?
<1-65535> Global UDP/TCP port

(config)#ip nat inside source static tcp 172.16.66.2 3389 interface dialer1 3389 ?
<cr> <cr>

balaji.bandi · ‎10-15-2021

yes, now i understand the limitation before i go further give example ? the IP only changes when the dialer1 interface go down ?

what kind of Logs you see on the router, so EEM runs based on the Syslog message and gets new IP and changes the syntax.

(i do not have a dialer to test)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Stephanie Tingey · ‎10-15-2021

Nothing shows up in the logs, so i'd have to use EEM and an SLA to ping a DDNS setup i'd have to compare the IP every 24 hours or so. I have no idea how often the IP actually changes to be honest.

balaji.bandi · ‎10-15-2021

high level this is a concept - this can be improved with if and else conditions

action 10 cli command "enable"
action 11 cli command "show interfaces dialer1 | include Internet address "
action 12 regexp "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" $_cli_result
action 13 cli command "config t"
action 14 cli command "no ip nat inside source static tcp 172.16.66.2 3389 x.x.x.x 3389 vrf WORK extendable"
action 15 cli command "no ip nat inside source static tcp 172.16.66.2 3389 x.x.x.x 3389 vrf WORK extendable"
action 16 cli command "ip nat inside source static tcp 172.16.66.2 3389 $_cli_result 3389 vrf WORK extendable"
action 17 cli command "end"

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Stephanie Tingey · ‎10-16-2021

the regexp command seems to not be working as expected. I shortened and changed the script you gave me to try and isolate the problem:

event manager applet test
event none
action 10 cli command "enable"
action 11 cli command "show interfaces dialer1 | include Internet address "
action 12 regexp "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" $_cli_result
action 13 syslog msg "This is $_cli_result"

When i run this test I receive this result:

%HA_EM-6-LOG: test: This is Internet address is 174.23.150.38/32
Internet address will be negotiated using IPCP

So it does not appear to just be pulling the IP address from the result.

balaji.bandi · ‎10-17-2021

I have suggested a concept for you to understand how you can build EEM, that is not the final solution work as expected.

some examples :

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎10-17-2021

Hello,

enable debugging:

debug ip ddns update

Then use the script below. This will update the static NAT entry each time there is a DDNS update:

event manager applet DDNS_UPDATE
event syslog pattern "DDNS: Dynamic Update"
action 1.0 cli command "enable"
action 2.0 cli command "show ip int brief | inc Dialer1"
action 3.0 regexp " [0-9.]+ " "$_cli_result" ddns_ip
action 4.0 cli command "conf t"
action 5.0 cli command "ip nat inside source static udp 172.16.66.2 3389 $ddns_ip 3389 vrf WORK extendable"
action 6.0 cli command "end"
action 7.0 cli command "clear log" pattern "confirm"
action 8.0 cli command "y"

Stephanie Tingey · ‎10-17-2021

This would probably work as well, i'd have to clear out the existing entries, but that is another solution.

Dan Frey · ‎10-17-2021

Trying using this EEM policy. Its setup to run manually for testing and you will need to put it on a watchdog or cron timer to run every so often. Also change the interface name and IP addresses as I did not have a dialer to test. Its not destructive if the IP does not change and only clears the NAT table and writes new entries if the IP address changes on the interface.

event manager applet test
 event none
 action 010 cli command "enable"
 action 020 cli command "show interfaces gig1 | include Internet address "
 action 030 regexp "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_cli_result" match IP
 action 040 puts "internet address = $IP"
 action 050 cli command "show run | inc ^ip nat inside source static tcp 10.0.1.50"
 action 060 regexp "ip nat inside source static tcp 10.0.1.50 22 ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_cli_result" match oldIP
 action 065 puts "old IP = $oldIP"
 action 067 cli command "config t"
 action 070 if $oldIP eq "$IP"
 action 080  puts "IP did not change.  exiting"
 action 090  exit
 action 100 else
 action 105  puts "IP have changed from $oldIP to $IP.  Clearing NAT table and writing new NAT entries"
 action 110  cli command "do clear ip nat translation vrf WORK *"
 action 120  cli command "no ip nat inside source static udp 10.0.1.50 22 $oldIP 2022 vrf WORK extendable"
 action 130  cli command "no ip nat inside source static tcp 10.0.1.50 22 $oldIP 2022 vrf WORK extendable"
 action 140  cli command "ip nat inside source static tcp 10.0.1.50 22 $IP 2022 vrf WORK extendable"
 action 150  cli command "ip nat inside source static udp 10.0.1.50 22 $IP 2022 vrf WORK extendable"
 action 160 end

lab-csr1#event manager run test
internet address = 10.34.43.3
old IP = 10.34.43.3
IP did not change.  exiting

change IP on gig1 for testing

lab-csr1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab-csr1(config)#int gig1
lab-csr1(config-if)#ip add 10.53.43.2 255.255.255.0
lab-csr1(config-if)#end
lab-csr1#
lab-csr1#event manager run test
internet address = 10.53.43.2
old IP = 10.34.43.3
IP have changed from 10.34.43.3 to 10.53.43.2.  Clearing NAT table and writing new NAT entries

balaji.bandi · ‎10-17-2021

@Dan Frey - Good Stuff, this is what i am suggesting, compare and make a decision based on the outcome, if the IP same no action is required, if the IP changed make action...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Stephanie Tingey · ‎10-17-2021

Excellent! I've made the necessary changes and added: event timer cron name REFRESH cron-entry "00 00 * * *"

I believe that should fire it off every night at midnight.

Thanks everyone for their help.

balaji.bandi · ‎10-17-2021

based on the learning lessons, check if the IP change occurs how frequently, make a Log file also, so you can do less time so you get acuate results without losing network connectivity.

i make it lower to run every 4 hours, since if the IP does not change, any way script does not take any action.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎10-17-2021

Hello,

that script is even better. I still would leave it on the syslog pattern match triggered by the DDNS debug though, because you never know when the change occurs.