01-03-2024 09:17 AM
Hello, I have a cisco 8000v virtual router.
The provider has assigned me an address with /29 prefix.
Behind the router I have rfc1918 networks, I would like to understand if I can make a nat rule using secondary interface?
In other words, I need to get something like this. I need to make it so that clients can reach different addresses using different external addresses, for example, whether it is Exchange, Web Services, and so on.
Does this work in cisco and how to configure it properly?
ip nat inside source static tcp 10.0.1.10 25 X.X.X.26 25 extendable
ip nat inside source static tcp 10.0.1.20 25 X.X.X.28 25 extendable
config:
interface GigabitEthernet1
ip address X.X.X.26 255.255.255.248
ip address X.X.X.28 255.255.255.248 secondary
ip nbar protocol-discovery
ip nat outside
no negotiation auto
no mop enabled
no mop sysid
interface GigabitEthernet4
ip address 10.0.1.254 255.255.255.0
ip nat inside
no negotiation auto
no mop enabled
no mop sysid
ip route 0.0.0.0 0.0.0.0 X.X.X.25
ip access-list extended NAT
permit ip 10.0.1.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet1 overload
Solved! Go to Solution.
01-06-2024 08:01 AM
ip policy route-map PBR_Secondary <<- there is no config of PRB it only the name, and if you config it use set interface not set ip next-hop
ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload <<- this not work because the subnet always will NATing to Primary IP not to secondary IP, you need to use IP NAT POOL, specify the secondary IP's
you need also to add another IP NAT inside for primary IP.
this my lab it done and work as I need
MHM
01-06-2024 08:26 AM
R1#show run
R1#show running-config wn
R1#show running-config
Building configuration...
Current configuration : 2389 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 210.0.0.1 255.255.255.0 secondary
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/1
no ip address
shutdown
speed auto
duplex auto
!
ip nat pool ISP2 210.0.0.10 210.0.0.100 prefix-length 24
ip nat inside source route-map ISP1NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2NAT pool ISP2
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 23.23.23.23 255.255.255.255 100.0.0.2
ip route 23.23.23.23 255.255.255.255 200.0.0.3
ip route 23.23.23.23 255.255.255.255 210.0.0.3
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map ISP1NAT permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP2NAT permit 10
match ip address 100
match interface FastEthernet2/0
!
route-map ISP2 permit 10
match ip address 100
set interface FastEthernet2/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
01-03-2024 02:21 PM
Hello @sigcerder,
It is possible to use a non-primary IP address as the "outside" IP address. You don't even need to configure it as a secondary IP address. Once you configure a NAT rule the router will start to listen for that specific IP address on it's "outside" interface.
Are you attempting to use static NAT to allow clients to reach services behind your router(on the "inside") on different addresses, or are you trying to allow clients to reach out to different services using different external addresses?
01-03-2024 08:31 PM
sure you can I run lab and test it and it OK the NAT work perfectly
MHM
01-04-2024 10:39 AM
Thanks guys, the problem was my provider, I did the similar lab and got the same result, now it works fine.
01-04-2024 10:44 AM
You are so welcome
MHM
01-06-2024 04:26 AM
In order not to create a new topic, I faced another problem on the same topic
I faced a problem, namely in the configuration of PBR for secondary address on an interface, I saw that it is called Nat on the stick, no matter how many times I tried to configure, I fail.
Could you please advise me how to configure NAT correctly to allow access through the external address on specific ports to the internal network.
Ideally I would like to get the following:
ip nat inside source static tcp 10.0.4.20 25 X.X.X.26 25 extendable
ip nat inside source static tcp 10.0.4.21 80 X.X.X.26 80 extendable
ip nat inside source static tcp 10.0.4.21 443 X.X.X.26 443 extendable
ip nat inside source static tcp 10.0.4.30 25 X.X.X.28 25 extendable
ip nat inside source static tcp 10.0.4.31 80 X.X.X.28 80 extendable
ip nat inside source static tcp 10.0.4.31 443 X.X.X.28 443 extendable
I also tried to make 10.0.4.30-31 addresses to the Internet through X.X.X.X.28 address, but unfortunately I failed... In other words, when I check the external address on third-party services, I want to see the X.X.X.X.28 address.
my config:
!
interface GigabitEthernet1
ip address X.X.X.28 255.255.255.248 secondary
ip address X.X.X.26 255.255.255.248
ip nbar protocol-discovery
ip nat outside
!
interface GigabitEthernet2
ip address 10.0.1.254 255.255.255.0
ip nat inside
speed 25000
no negotiation auto
!
interface GigabitEthernet4
ip address 10.0.4.254 255.255.255.0
ip nat inside
ip policy route-map PBR_Secondary
speed 25000
no negotiation auto
!
interface GigabitEthernet5
ip address X.X.X.290 255.255.255.0
ip nbar protocol-discovery
ip nat outside
no negotiation auto
!
ip route 0.0.0.0 0.0.0.0 X.X.X.25 track 100
ip route 0.0.0.0 0.0.0.0 X.X.X.290 10
!
ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload
ip nat inside source route-map PROVIDER_2 interface GigabitEthernet5 overload
!
ip access-list extended NAT
permit ip 10.0.4.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
!
route-map PROVIDER_1 permit 10
match ip address NAT
match interface GigabitEthernet1
!
route-map PROVIDER_2 permit 10
match ip address NAT
match interface GigabitEthernet5
01-06-2024 04:40 AM
I keep my lab I will add PBT to it and check
MHM
01-06-2024 08:01 AM
ip policy route-map PBR_Secondary <<- there is no config of PRB it only the name, and if you config it use set interface not set ip next-hop
ip nat inside source route-map PROVIDER_1 interface GigabitEthernet1 overload <<- this not work because the subnet always will NATing to Primary IP not to secondary IP, you need to use IP NAT POOL, specify the secondary IP's
you need also to add another IP NAT inside for primary IP.
this my lab it done and work as I need
MHM
01-06-2024 08:23 AM
Could you please share your configuration so I can understand it?
01-06-2024 08:26 AM
R1#show run
R1#show running-config wn
R1#show running-config
Building configuration...
Current configuration : 2389 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 210.0.0.1 255.255.255.0 secondary
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet4/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet5/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet6/1
no ip address
shutdown
speed auto
duplex auto
!
ip nat pool ISP2 210.0.0.10 210.0.0.100 prefix-length 24
ip nat inside source route-map ISP1NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2NAT pool ISP2
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 23.23.23.23 255.255.255.255 100.0.0.2
ip route 23.23.23.23 255.255.255.255 200.0.0.3
ip route 23.23.23.23 255.255.255.255 210.0.0.3
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map ISP1NAT permit 10
match ip address 100
match interface FastEthernet1/0
!
route-map ISP2NAT permit 10
match ip address 100
match interface FastEthernet2/0
!
route-map ISP2 permit 10
match ip address 100
set interface FastEthernet2/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
01-06-2024 09:32 AM
Thanks a lot for your recommendation, could you check my configuration please, because if I understand correctly I need to delete my nat overload rule and use ip nat pool?
My configuration looks like this now and doesn't work, what can I forget?
interface GigabitEthernet1
ip address X.X.X.28 255.255.255.248 secondary
ip address X.X.X.26 255.255.255.248
ip nbar protocol-discovery
ip nat outside
interface GigabitEthernet4
ip address 10.0.4.254 255.255.255.0
ip nat inside
ip policy route-map ISP3
ip nat pool ISP3 X.X.X.28 X.X.X.28 prefix-length 29
ip nat inside source route-map ISP1 interface GigabitEthernet1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet5 overload
ip nat inside source route-map ISP3 pool ISP3
route-map ISP2 permit 10
match ip address NAT
match interface GigabitEthernet5
route-map ISP3 permit 10
match ip address NAT
match interface GigabitEthernet1
route-map ISP1 permit 10
match ip address NAT
match interface GigabitEthernet1
01-06-2024 09:36 AM
still there is issue,
the route-map for primary and secondary public IP is same
i.e. you match same subnet for both route-map ?
MHM
01-07-2024 12:13 AM
You right I mixed up my access-list. Now it works fine, thank you!
01-07-2024 12:28 AM
You are so welcome
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide