Hello!
I'm now trying to lab Outside NAT with dynamic translation to the pool on the CSR1000V and facing an issue with a static route to Outside Local address via Outside Global address not being added to the routing table on the IOS-XE 16.3.2+ (IOS-XE 16.3.1a working ok, legacy IOS working ok with the same Outside NAT config too).
NAT config is done on the 1st CSR100V and is failrly simple:
hostname nat-csr
!
interface GigabitEthernet1
ip address 172.16.8.1 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet2
ip address 172.26.1.250 255.255.255.0
negotiation auto
!
ip access-list extended ANY-ACL
permit ip any any
!
ip route 172.16.7.0 255.255.255.0 172.16.8.10
ip nat pool TST-POOL 172.26.2.1 172.26.2.254 netmask 255.255.255.0
ip nat inside source static tcp 172.26.1.1 23 interface GigabitEthernet1 2323
ip nat outside source list ANY-ACL pool TST-POOL add-route
2nd CSR is used for the server:
hostname server-csr
!
username cisco privilege 15 password cisco
enable password cisco
!
interface GigabitEthernet2
ip address 172.26.1.1 255.255.255.0
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 172.26.1.250
!
line vty 0 4
login local
And 3rd CSR is used for the client:
hostname client-csr
!
interface GigabitEthernet1
ip address 172.26.8.10 255.255.255.0
negotiation auto
!
interface Loopback1
ip address 172.26.7.1 255.255.255.0
!
interface Loopback2
ip address 172.26.7.2 255.255.255.0
Ideally (on IOS-XE 16.3.1a) when client-csr is doing `telnet 172.16.8.1 2323 /source Loopback1` the server-csr answers with the telnet and sees the incoming connection from 172.26.2.1 (1st address in the pool). On the IOS-XE 16.3.2+ the connection doesn't succeed because the nat-csr doesn't install a route to the Outside Local address via Outside Global address of the client-csr, which is required for the return traffic to the client-csr from the server-csr. This route should look like:
172.26.2.1/32 [1/0] via 172.26.7.1
172.26.2.2/32 [1/0] via 172.26.7.2
etc.
Interestingly, sometimes IOS-XE 16.6.1 does install the required static route, but this not suitable for the production dpeloyment.