Solved: Re: Configure NAT with secondary IP address

sigcerder · ‎01-03-2024

Hello, I have a cisco 8000v virtual router.
The provider has assigned me an address with /29 prefix.
Behind the router I have rfc1918 networks, I would like to understand if I can make a nat rule using secondary interface?
In other words, I need to get something like this. I need to make it so that clients can reach different addresses using different external addresses, for example, whether it is Exchange, Web Services, and so on.
Does this work in cisco and how to configure it properly?

ip nat inside source static tcp 10.0.1.10 25 X.X.X.26 25 extendable
ip nat inside source static tcp 10.0.1.20 25 X.X.X.28 25 extendable

config:

interface GigabitEthernet1
ip address X.X.X.26 255.255.255.248
ip address X.X.X.28 255.255.255.248 secondary
ip nbar protocol-discovery
ip nat outside
no negotiation auto
no mop enabled
no mop sysid

interface GigabitEthernet4
ip address 10.0.1.254 255.255.255.0
ip nat inside
no negotiation auto
no mop enabled
no mop sysid

ip route 0.0.0.0 0.0.0.0 X.X.X.25

ip access-list extended NAT
permit ip 10.0.1.0 0.0.0.255 any

ip nat inside source list NAT interface GigabitEthernet1 overload

MHM Cisco World · ‎01-06-2024

ip policy route-map PBR_Secondary <<- there is no config of PRB it only the name, and if you config it use set interface not set ip next-hop

ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload <<- this not work because the subnet always will NATing to Primary IP not to secondary IP, you need to use IP NAT POOL, specify the secondary IP's
you need also to add another IP NAT inside for primary IP.

this my lab it done and work as I need
MHM

View solution in original post

MHM Cisco World · ‎01-06-2024

R1#show run
R1#show running-config wn
R1#show running-config
Building configuration...

Current configuration : 2389 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 210.0.0.1 255.255.255.0 secondary
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/1
no ip address
shutdown
speed auto
duplex auto
!
ip nat pool ISP2 210.0.0.10 210.0.0.100 prefix-length 24
ip nat inside source route-map ISP1NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2NAT pool ISP2
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 23.23.23.23 255.255.255.255 100.0.0.2
ip route 23.23.23.23 255.255.255.255 200.0.0.3
ip route 23.23.23.23 255.255.255.255 210.0.0.3
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map ISP1NAT permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP2NAT permit 10
match ip address 100
match interface FastEthernet2/0
!
route-map ISP2 permit 10
match ip address 100
set interface FastEthernet2/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login

View solution in original post

Torbjørn · ‎01-03-2024

Hello @sigcerder,

It is possible to use a non-primary IP address as the "outside" IP address. You don't even need to configure it as a secondary IP address. Once you configure a NAT rule the router will start to listen for that specific IP address on it's "outside" interface.

Are you attempting to use static NAT to allow clients to reach services behind your router(on the "inside") on different addresses, or are you trying to allow clients to reach out to different services using different external addresses?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

MHM Cisco World · ‎01-03-2024

sure you can I run lab and test it and it OK the NAT work perfectly
MHM

sigcerder · ‎01-04-2024

Thanks guys, the problem was my provider, I did the similar lab and got the same result, now it works fine.

MHM Cisco World · ‎01-04-2024

You are so welcome
MHM

sigcerder · ‎01-06-2024

In order not to create a new topic, I faced another problem on the same topic

I faced a problem, namely in the configuration of PBR for secondary address on an interface, I saw that it is called Nat on the stick, no matter how many times I tried to configure, I fail.
Could you please advise me how to configure NAT correctly to allow access through the external address on specific ports to the internal network.

Ideally I would like to get the following:

ip nat inside source static tcp 10.0.4.20 25 X.X.X.26 25 extendable
ip nat inside source static tcp 10.0.4.21 80 X.X.X.26 80 extendable
ip nat inside source static tcp 10.0.4.21 443 X.X.X.26 443 extendable

ip nat inside source static tcp 10.0.4.30 25 X.X.X.28 25 extendable
ip nat inside source static tcp 10.0.4.31 80 X.X.X.28 80 extendable
ip nat inside source static tcp 10.0.4.31 443 X.X.X.28 443 extendable

I also tried to make 10.0.4.30-31 addresses to the Internet through X.X.X.X.28 address, but unfortunately I failed... In other words, when I check the external address on third-party services, I want to see the X.X.X.X.28 address.

my config:

!
interface GigabitEthernet1
ip address X.X.X.28 255.255.255.248 secondary
ip address X.X.X.26 255.255.255.248
ip nbar protocol-discovery
ip nat outside
!
interface GigabitEthernet2
ip address 10.0.1.254 255.255.255.0
ip nat inside
speed 25000
no negotiation auto

!
interface GigabitEthernet4
ip address 10.0.4.254 255.255.255.0
ip nat inside
ip policy route-map PBR_Secondary
speed 25000
no negotiation auto
!
interface GigabitEthernet5
ip address X.X.X.290 255.255.255.0
ip nbar protocol-discovery
ip nat outside
no negotiation auto

!
ip route 0.0.0.0 0.0.0.0 X.X.X.25 track 100
ip route 0.0.0.0 0.0.0.0 X.X.X.290 10

!
ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload
ip nat inside source route-map PROVIDER_2 interface GigabitEthernet5 overload

!
ip access-list extended NAT
permit ip 10.0.4.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any

!
route-map PROVIDER_1 permit 10
match ip address NAT
match interface GigabitEthernet1
!
route-map PROVIDER_2 permit 10
match ip address NAT
match interface GigabitEthernet5

MHM Cisco World · ‎01-06-2024

I keep my lab I will add PBT to it and check
MHM

MHM Cisco World · ‎01-06-2024

ip policy route-map PBR_Secondary <<- there is no config of PRB it only the name, and if you config it use set interface not set ip next-hop

ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload <<- this not work because the subnet always will NATing to Primary IP not to secondary IP, you need to use IP NAT POOL, specify the secondary IP's
you need also to add another IP NAT inside for primary IP.

this my lab it done and work as I need
MHM

sigcerder · ‎01-06-2024

Could you please share your configuration so I can understand it?

MHM Cisco World · ‎01-06-2024

R1#show run
R1#show running-config wn
R1#show running-config
Building configuration...

Current configuration : 2389 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 210.0.0.1 255.255.255.0 secondary
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/1
no ip address
shutdown
speed auto
duplex auto
!
ip nat pool ISP2 210.0.0.10 210.0.0.100 prefix-length 24
ip nat inside source route-map ISP1NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2NAT pool ISP2
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 23.23.23.23 255.255.255.255 100.0.0.2
ip route 23.23.23.23 255.255.255.255 200.0.0.3
ip route 23.23.23.23 255.255.255.255 210.0.0.3
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map ISP1NAT permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP2NAT permit 10
match ip address 100
match interface FastEthernet2/0
!
route-map ISP2 permit 10
match ip address 100
set interface FastEthernet2/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login

sigcerder · ‎01-06-2024

Thanks a lot for your recommendation, could you check my configuration please, because if I understand correctly I need to delete my nat overload rule and use ip nat pool?
My configuration looks like this now and doesn't work, what can I forget?

interface GigabitEthernet1
ip address X.X.X.28 255.255.255.248 secondary
ip address X.X.X.26 255.255.255.248
ip nbar protocol-discovery
ip nat outside

interface GigabitEthernet4
ip address 10.0.4.254 255.255.255.0
ip nat inside
ip policy route-map ISP3

ip nat pool ISP3 X.X.X.28 X.X.X.28 prefix-length 29
ip nat inside source route-map ISP1 interface GigabitEthernet1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet5 overload
ip nat inside source route-map ISP3 pool ISP3

route-map ISP2 permit 10
match ip address NAT
match interface GigabitEthernet5

route-map ISP3 permit 10
match ip address NAT
match interface GigabitEthernet1

route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet1

MHM Cisco World · ‎01-06-2024

still there is issue,
the route-map for primary and secondary public IP is same
i.e. you match same subnet for both route-map ?
MHM

sigcerder · ‎01-07-2024

You right I mixed up my access-list. Now it works fine, thank you!

MHM Cisco World · ‎01-07-2024

You are so welcome
MHM