"ip nat outside" block access for cpe from outside network

lerner.mapurunga · ‎10-20-2019

Hi,

We have a POP with ASR 1002 for BNG and CGNAT.

The problem is with the configuration of cgnat, we can't access the cpe from outside of asr by interface of uplink.

We tried to accept by using an access list, but without success.

Follow the configuration:

interface Port-channel1.1138
encapsulation dot1Q 1138
ip address 10.1.38.5 255.255.255.248
ip nat outside
!
interface Virtual-Template1
mtu 1480
ip unnumbered Loopback0
ip nat inside
ip tcp adjust-mss 1452
peer default ip address pool pool_cisco
ipv6 enable
ipv6 nd ra lifetime 21600
ipv6 nd ra interval 4 3
ipv6 dhcp server dhcpv6
ppp mtu adaptive
ppp authentication pap
ppp ipcp dns 8.8.8.8
ppp ipcp address required
ppp ipcp address unique
ppp timeout authentication 20
!
ip local pool pool_cisco 10.38.0.0 10.38.3.255
ip local pool pool_bloqueado 10.24.0.0 10.24.3.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat translation max-entries 247483647
ip nat pool nat_32 x.y.z.0 x.y.z.63 prefix-length 26
ip nat inside source list 1 pool nat_32 overload
ip forward-protocol nd
!
access-list 1 permit 10.38.0.0 0.0.3.255Â

If we take out the setting "ip nat outside" of interface, we can access normally the cpe.

pigallo · ‎10-28-2019

@lerner.mapurunga wrote:

Hi,

We have a POP with ASR 1002 for BNG and CGNAT.

The problem is with the configuration of cgnat, we can't access the cpe from outside of asr by interface of uplink.

Why you need to access CPE from the uplink occupied by users traffic ?

I don't think it's safe.

You have up link port-channel which nat outside traffic coming from 10.38.0.0 network, right?

So, create another sub-interface, let's say Port-channel1.1139 and assign this interface to Management VRF.
Then you can access the CPE in a safer way bypassing nat rules.