Re: ASR1001X NAT translation don't work via BGP connection

valentyn-lytvynov · ‎06-24-2024

Hey there!

Please, help to resolve my issuse after first configuring bgp connection

don't work nat translation what matter what i do

!Debugin ip nat access-list 1

did't show anything

MHM Cisco World · ‎06-24-2024

You need to config PBR direct traffic to Loopback to NATing it source then router will use prefix learn via bgp to forward traffic to destiantion.

What you need only is using pbr.

MHM

valentyn-lytvynov · ‎06-24-2024

MHM - thanks in advance!

Can you explain me if I'm on the right way ?

interface Loopback0
ip address 212.110.1.20 255.255.255.255 secondary
ip address 212.110.1.12 255.255.255.255 secondary
ip address 212.110.1.13 255.255.255.0 secondary
ip address 212.110.1.200 255.255.255.0
ip nat outside
ip policy route-map PublicPolicy
!
interface TenGigabitEthernet0/0/0
no ip address
shutdown
!
interface TenGigabitEthernet0/0/1
no ip address
shutdown
!
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.254
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface FastEthernet0/1/0
ip address 10.200.10.1 255.255.255.0
ip nat inside
ip policy route-map LAN
negotiation auto
!
interface FastEthernet0/1/1
no ip address
negotiation auto
!
interface FastEthernet0/1/2
no ip address
negotiation auto
!
interface FastEthernet0/1/3
no ip address
negotiation auto
!
interface FastEthernet0/1/4
ip address 10.200.0.1 255.255.255.0
negotiation auto
!
interface FastEthernet0/1/5
no ip address
negotiation auto
!
interface FastEthernet0/1/6
no ip address
negotiation auto
!
interface FastEthernet0/1/7
ip dhcp relay source-interface FastEthernet0/1/4
ip address dhcp
ip helper-address 10.200.0.1
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address dhcp
negotiation auto
!
router bgp 214776
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1820
neighbor 1.1.1.1 description BGP connection to AS1820
!
address-family ipv4
network 212.110.1.0
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 1.1.1.1 route-map PublicIPs in
exit-address-family
!
ip nat pool PublicIPs 212.110.1.1 212.110.1.254 netmask 255.255.255.0
ip nat inside source static 10.200.10.2 212.110.1.13
ip nat inside source list LAN pool PublicIPs overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip dns server
ip ssh version 1
!
ip access-list standard LAN
remark Trafic to LAN
permit 10.200.10.0 0.0.0.255 log
ip access-list standard Public
permit any
!
route-map PublicPolicy permit 10
match ip address Public
set ip next-hop 1.1.1.1
!
route-map LAN permit 20
match ip address LAN
set ip next-hop 212.110.1.200

and where I'm get wrong cause this still doesn't work

MHM Cisco World · ‎06-24-2024

route-map PublicPolicy permit 10 <<- remove this route map from LO interface the LO know the destination via RIB
match ip address Public
set ip next-hop 1.1.1.1

MHM

paul driver · ‎06-24-2024

Hello
Apologies for this but your configuration looks all wrong, you have nat domains specified for the loopback but in the attached file not specified and lan interface but not for any wan interface, also you have route-maps that dont exist and multiple nat statements that overlap.

Can you elaborate on exactly what you are trryng to achieve, maybe share a topology diagram?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

valentyn-lytvynov · ‎06-25-2024

Hi Pual

Probably, you are right this my first setaping of cisco router, before I setaping only switches and it's suprased me, I don't understand what use instead Vlan for group several interface, and nat translation. Will be grateful for futher assistans.

Descr: Two internal subnet one with access internet, one without but need mapping from public ip for remote access and one subnet for static public IP's on dedicated devices

MHM Cisco World · ‎06-25-2024

did you try remove PBR under LO and check NAT ?

MHM

paul driver · ‎06-25-2024

Hello
Just to confirm -

10.200.10.0/24 = LAN1 (MGMT)
10.200.0.0/24 = LAN2
1.1.1.2/31 = WAN
212.110.1.0/24 = ? - this is public ip range also assigned to your site

Do you want to nat LAN1 & 2 hosts to the public ip range 212.110.1.0/24, and if so can you confirm what lan hosts:

require internet access
require a 1-to-1 static natting

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

valentyn-lytvynov · ‎06-25-2024

Right 212.110.1.0/24 - pool of public ip

LAN - required access to internet

and

1 way - static nat to privat addresses from public

or

2 way assign on devices static public ip and have access to internet

Thanks!

valentyn-lytvynov · ‎06-25-2024

Now, it;s look like this

But! I havn't access to internet from lan, able to ping lan gateway on l1 but can't ping ip of client from dhcp pool leased

policy don't assign

MHM Cisco World · ‎06-25-2024

that wrong see the correct steps

interface Loopback0
ip address 212.110.1.20 255.255.255.255 secondary
ip address 212.110.1.12 255.255.255.255 secondary
ip address 212.110.1.13 255.255.255.0 secondary
ip address 212.110.1.200 255.255.255.0
ip nat outside
~~ip policy route-map PublicPolicy remove this ONLY~~
!
interface TenGigabitEthernet0/0/0
no ip address
shutdown
!
interface TenGigabitEthernet0/0/1
no ip address
shutdown
!
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.254
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface FastEthernet0/1/0
ip address 10.200.10.1 255.255.255.0
ip nat inside
ip policy route-map LAN <<- keep this
negotiation auto
!
interface FastEthernet0/1/1
no ip address
negotiation auto
!
interface FastEthernet0/1/2
no ip address
negotiation auto
!
interface FastEthernet0/1/3
no ip address
negotiation auto
!
interface FastEthernet0/1/4
ip address 10.200.0.1 255.255.255.0
negotiation auto
!
interface FastEthernet0/1/5
no ip address
negotiation auto
!
interface FastEthernet0/1/6
no ip address
negotiation auto
!
interface FastEthernet0/1/7
ip dhcp relay source-interface FastEthernet0/1/4
ip address dhcp
ip helper-address 10.200.0.1
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address dhcp
negotiation auto
!
router bgp 214776
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1820
neighbor 1.1.1.1 description BGP connection to AS1820
!
address-family ipv4
network 212.110.1.0
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 soft-reconfiguration inbound
neighbor 1.1.1.1 route-map PublicIPs in
exit-address-family
!
ip nat pool PublicIPs 212.110.1.1 212.110.1.254 netmask 255.255.255.0
ip nat inside source static 10.200.10.2 212.110.1.13
ip nat inside source list LAN pool PublicIPs overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip dns server
ip ssh version 1
!
ip access-list Extended LAN
remark Trafic to LAN
permit ip 10.200.10.0 0.0.0.255 any
~~ip access-list standard Public~~
~~permit any~~
!
ro~~ute-map PublicPolicy permit 10~~
~~match ip address Public~~
~~set ip next-hop 1.1.1.1~~
!
route-map LAN permit 20
match ip address LAN
set ip next-hop 212.110.1.200 <<- run debug ip policy to see if traffic from 10.200.10.0 pass to LO or not

valentyn-lytvynov · ‎06-25-2024

Debug shown

Jun 25 09:40:10.553: IP: s=10.200.0.1 (Loopback1), d=255.255.255.255, len 50, policy match
Jun 25 09:40:10.553: IP: route map LAN, item 20, permit
Jun 25 09:40:10.553: IP: s=10.200.0.1 (Loopback1), d=255.255.255.255 (GigabitEthernet0/0/0), len 50, policy routed
Jun 25 09:40:10.553: IP: Loopback1 to GigabitEthernet0/0/0 217.20.178.56
Jun 25 09:40:10.553: IP: s=10.200.10.1 (Loopback2), d=255.255.255.255, len 50, policy match
Jun 25 09:40:10.553: IP: route map MGMT, item 10, permit
Jun 25 09:40:10.553: IP: s=10.200.10.1 (Loopback2), d=255.255.255.255 (Loopback0), len 50, policy routed
Jun 25 09:40:10.553: IP: Loopback2 to Loopback0 212.110.141.200
Jun 25 09:40:14.553: IP: s=10.200.0.1 (Loopback1), d=255.255.255.255, len 50, policy match
Jun 25 09:40:14.553: IP: route map LAN, item 20, permit
Jun 25 09:40:14.553: IP: s=10.200.0.1 (Loopback1), d=255.255.255.255 (GigabitEthernet0/0/0), len 50, policy routed
Jun 25 09:40:14.553: IP: Loopback1 to GigabitEthernet0/0/0 217.20.178.56
Jun 25 09:40:14.553: IP: s=10.200.10.1 (Loopback2), d=255.255.255.255, len 50, policy match
Jun 25 09:40:14.553: IP: route map MGMT, item 10, permit
Jun 25 09:40:14.553: IP: s=10.200.10.1 (Loopback2), d=255.255.255.255 (Loopback0), len 50, policy routed
Jun 25 09:40:14.553: IP: Loopback2 to Loopback0 212.110.141.200

valentyn-lytvynov · ‎06-25-2024

Looks loke working

But one point I still can pinging clients ip from router does it means haven't route to client machine ?

MHM Cisco World · ‎06-25-2024

Can yoh check NAT table

Do you see any NAT entry ?

MHM

valentyn-lytvynov · ‎06-25-2024

Sure, (litlle bit change - first ans second gateway for lan I resrtup on l1 and l2 interfaces)

translation is present but I still can't get access to clients ip, does this is root cause of issue ?

ip nat pool PublicIPs 212.110.141.1 212.110.141.254 netmask 255.255.255.0
ip nat inside source static tcp 10.200.0.3 3389 212.110.141.12 44444 extendable
ip nat inside source static 10.200.0.3 212.110.141.12 extendable
ip forward-protocol nd

ping 10.200.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Total active translations: 2 (2 static, 0 dynamic; 1 extended)
Outside interfaces:
Loopback0
Inside interfaces:
Loopback1, Loopback2
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 212.110.141.12 10.200.0.3 --- ---
tcp 212.110.141.12:44444 10.200.0.3:3389 --- ---
Total number of translations: 2