Re: Nexus 9318-FX - NAT Issues

vxlannnn · ‎02-08-2021

I'm having issues with some simple NAT logic on a Nexus 93180YC-FX which when tested on an IOS based device work fine.

See attached for basic network diagram.

Basic configuration:

interface vlan100

ip nat inside


interface vlan200

ip nat outside


ip nat inside source static 99.88.8.121 192.168.1.121

ip nat outside source static 192.168.1.21 192.168.1.50 add-route

When I test this on the NK9 the inside rule works successfully.

The strange part is when i check the NAT translation table using show ip nat translations there is nothing listed after a successfully tested inside translation.

When I try to reach 192.168.1.21 using the outside global address 192.168.1.50 from 99.88.8.121 the frame arrives at 192.168.1.21 but the source address is still 99.88.8.121 and not the global inside address 192.168.1.121. I assume the static route created by add-route is allowing this to end up at 192.168.1.21 but why isn't the inside address being translated?

When I test this on an IOS based switch both rules work as expected and the NAT translation tables is properly populated with all the translations.

Is there a limitation with NAT with the specific 9K switch?

balaji.bandi · ‎02-08-2021

You need to have interface configuration with the IP address ?

can you post full configuration, here is my findings

ip nat inside source static 99.88.8.121 192.168.1.121 (this is 21 or typo) ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vxlannnn · ‎02-08-2021

Interface vlan 100 and interface vlan 200 are configured with L3 addresses - vlan 100 is inside and vlan 200 in outside.

This is to translate the source address of 99.88.8.121 to 192.168.1.121 as it leaves the inside interface towards the outside.

balaji.bandi · ‎02-08-2021

ok what is the outcome - (with out add-route)

ip nat outside source static 192.168.1.21 192.168.1.50

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vxlannnn · ‎02-08-2021

Without the add-route traffic doesn't make it to 192.168.1.21 at all.

MHM Cisco World · ‎02-08-2021

this is the NAT
what is the IP address of traffic you test
IP Source
IP Destination

IP nat inside is first
then
IP nat outside

some other device support Twice NAT
BUT to make both NAT work together please do
ip nat inside group 1
ip nat outside group 1

this make incoming traffic NAT using both command one time not use one and reject other.

vxlannnn · ‎02-08-2021

I test ping 192.168.1.50 from 99.88.8.121.

My expected results on nxos as confirmed using an IOS switch is that source address is translated from 99.88.8.121 to 192.168.1.121 and the destination is translated from 192.168.1.50 to 192.168.1.21.

MHM Cisco World · ‎02-08-2021

Need both nat work together using group keyword

vxlannnn · ‎02-08-2021

The group keyword isn't even an option in the context of ip nat inside or ip nat outside.

MHM Cisco World · ‎02-08-2021

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

Please see twice nat config,

Group keyward is option and it appear in end of command