Cisco Policy-NAT with Route-map Issues

rodrigo.cisco · ‎12-16-2013

Hi experts!

I'm currently working on a project and I am noticing some abnormal behaviors with NAT when I'm using NAT with route-map, as below:

ip nat inside source route-map RM_PAT_EMBRATEL_51 pool EMBRATEL_POOL_51 overload

route-map RM_PAT_EMBRATEL_51, permit, sequence 10

Match clauses:

ip address (access-lists): ACL_PAT_EMBRATEL_51

interface GigabitEthernet0/0.902

Set clauses:

Policy routing matches: 0 packets, 0 bytes

RT-RJ-SCBF1#

RT-RJ-SCBF1#sh ip access-list ACL_PAT_EMBRATEL_51

Extended IP access list ACL_PAT_EMBRATEL_51

10 permit tcp host 10.21.2.188 any eq smtp

20 permit tcp host 10.21.2.188 any eq 465

40 permit tcp host 10.21.2.51 any eq smtp

50 permit tcp host 10.21.2.151 any eq smtp

60 permit tcp host 10.21.2.50 any eq smtp

!

My client complained that some servers do not accessed the network then after do some troubleshoting I realize that NAT was not working 100%. For instance the server 10.21.2.188 was not able to reach the Internet and I validated using the ACL below on the outside interface to catch servers that didn't was NATed when passed through the Cisco routers:

#sh ip access-lists teste2

Extended IP access list teste2

5 permit tcp host 10.21.2.50 any eq smtp (25 matches)

10 permit tcp host 10.21.2.50 any eq www

20 permit tcp host 10.21.2.188 any eq www (122 matches)

30 permit tcp 10.21.2.0 0.0.0.255 any

40 permit ip any any (589424 matches)

!

I am quite sure that my configuration is right, but I'm showing below the important information to you guys analyze:

interface GigabitEthernet0/0.901

description ** INSIDE INTERFACE **

encapsulation dot1Q 901

ip address 10.21.254.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

standby 1 ip 10.21.254.1

standby 1 priority 150

standby 1 preempt

standby 1 name HSRP

ip policy route-map RM_POLICY_ROUTING

logging event subif-link-status

!

interface GigabitEthernet0/0.902

description ** MAIN ISP **

encapsulation dot1Q 902

ip address X.X.X.X 255.255.255.240

ip access-group teste2 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

no ip virtual-reassembly in

!

interface GigabitEthernet0/0.903

description ** ISP 2 **

encapsulation dot1Q 903

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

logging event subif-link-status

!

route-map RM_POLICY_ROUTING, permit, sequence 10

Match clauses:

ip address (access-lists): NAVIGATION_ADLS_OI

Set clauses:

ip next-hop verify-availability 172.16.0.1 1 track 30 [down]

Policy routing matches: 3971854 packets, 766578013 bytes

!

#sh ip route

Gateway of last resort is MAIN_ISP to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via X.X.X.X

I'm currently using IOS Version 15.4(1)T, but I have tried all startind from version 15.3.

If someone have passed through this situation please let me know what was the solution.

Regards,

Rodrigo Alves

rodrigo.cisco · ‎12-16-2013

I forgot to say that if I change the NAT to not use route-map, but using the ACL that is inside route-map really work, but this way I cannot select the outside interface to the one I would like to NAT. Eg below:

ACL

ACL_PAT_EMBRATEL_51

ip nat inside source list ACL_PAT_EMBRATEL_51 pool EMBRATEL_POOL_51 overload

Jon Marshall · ‎12-16-2013

Rodrigo

Which interface do the 10.21.2.x address arrive on in the above config. Is it gi0/0.901 ?

Can you post the actual config for -

the full NAT config with route-map

the full PBR config with route-map.

In your PBR route map you seem to be tracking 172.16.0.1 which is down. What is this meant do and how does it interact with the NAT.

gi0/0.903 does not have an IP in your config ?

So you are trying to select interfaces to send traffic out with PBR ?

If you could give more detail it might help.

Jon

rodrigo.cisco · ‎12-16-2013

Jon,

That's right, all IPs from range 10.21.x.x/16 arrive on interface gi0/0.901 that has a PBR when I select, based on some information, whitch link I will use.

GigabitEthernet0/0.903 = It is a simple ADSL link that the router receive via DHCP an private IP to access to Internet and the modem (GW) IP address is 172.16.0.1 but if one of the two links become down all traffic is redirect to the other one.

GigabitEthernet0/0.902 = It is a corporate link and I got I range of public IPs from my local ISP where I can configure static NAT and PAT to my server.

But to not cause confusion, I would like to say that I had remove PBR and put the subinterface g0/0.903 in shutdown to make sure that them was causing problem to NAT to my main link, g0/0.902. But unfortunly when I use route-map some dynamic NAT doesn't work as it should be.

I'm attaching the config with some minor changes to not show personal information.

Warm Regards!

Jon Marshall · ‎12-17-2013

Rodrigo

Firstly if it was you that marked my response as 1 (Not Helpful) please don't do that as i am simply asking questions so you do not need to mark it (and certainly not with a 1).

So the config you posted is the config you are using at the moment ?

If so would it be possible to send the config of what didn't work so i can see exactly how you had it setup ?

Also from your original post is it safe to say that when server 10.21.2.188 tries to access a web server on the internet it is not getting subject to NAT ?

Jon

rodrigo.cisco · ‎12-17-2013

Jon, sorry man! I click incorrectly on the star and tried to removed but appers to be impossible to remove after click, but is was not my intension. Sorry again!

By the way the config I attached is running right now I had to configured the commands below to make things to work:

ip nat inside source list ACL_PAT_PROVIDER_51 pool PROVIDER_POOL_51 overload

ip nat inside source list ACL_PAT_USUARIOS interface GigabitEthernet0/0.902 overload

But I need to activated the second link and if I remove the commands above and leave only route-maps some servers will not be natted.

"Also from your original post is it safe to say that when server 10.21.2.188 tries to access a web server on the internet it is not getting subject to NAT ? " yes, you are correct!

To be sincere, I really think it is a bug because I tried on IOS 12.4 using GNS3 and worked correctly. But I tried all versions equal and over 15.3.

ah, I even tried to remove "match interface GigabitEthernet0/0.902" from route-map and leave it only with ACL and didn't work too.

Any thoughts?

Jon Marshall · ‎12-17-2013

Rodrigo

Jon, sorry man! I click incorrectly on the star and tried to removed but appers to be impossible to remove after click, but is was not my intension. Sorry again!

No problem, it's easy to make that mistake and yes, they won't let you change it once it's been done.

It may well be a bug because i cannot see anything wrong with your config at the moment. I'm going to print it off and have a good look at it but if you have tested in GNS3 and it worked with 12.4 it does sound like something to do with the IOS.

Is it just the servers in your acl in the original post that were not getting subjected to NAT ie. these 2 -

5 permit tcp host 10.21.2.50 any eq smtp (25 matches)

10 permit tcp host 10.21.2.50 any eq www

20 permit tcp host 10.21.2.188 any eq www (122 matches)

30 permit tcp 10.21.2.0 0.0.0.255 any

40 permit ip any any (589424 matches)

When it wasn't working did you manage to have a look at the translation table to see what they were showing ?

Like i say, i'll have a good look at it and see if anything is obviously wrong but it looks okay to me.

Jon

rodrigo.cisco · ‎12-17-2013

Yeah Jon, I got some information using an ACL on outside interface, where I got some ports that the dynamic translation did not work and using "show ip nat translation" I couldn't see on the table the information been created for port 80.

Other strange thing that is happen is that some static PAT stop working and I need to remove and reply, for instance:

ip nat inside source static tcp 10.21.4.50 80 X.X.43.51 80 route-map RM_PROVIDER redundancy HSRP extendable

And before remove if I use "show ip alias" the IP "X.X.43.51" do not appears on the list, so the router do not respond any ARP REQUEST for that IP Address, but after remove and reply the command above it show up the ip address on the list correctly. Very very strange. but I really care because I had tried 3 different versions of IOS e all of them the problem showed up...