Re: Exclude inter local VLAN traffic from static nat

luchonat1 · ‎06-18-2018

Ok, here's my scenario:

I have a router with various local VLAN's and a nat statement to a host:port allowing it to be reachable from the outside (for example port 80).

Assuming:

w.x.y.z is a host in vlan 10

a.b.c.d is a host in vlan 11

A.B.C.D is a public IP assigned to an interface

All these three interfaces have ip nat enable statement. NavigationMap is a route-map calling acl's that allow vlan 10 and vlan 11 ip's.

NAT:

ip nat source route-map NavigationMap pool PublicIP overload

ip nat source static tcp w.x.y.z 80 A.B.C.D 80 extendable

From the internet, everything works as expected, BUT when I access w.x.y.z from a.b.c.d, I can see traffic getting to w.x.y.z (using tcpdump) with source a.b.c.d:port -> w.x.y.z:80 and exiting w.x.y.z:80 ->a.b.c.d:port but packets don't come back to a.b.c.d!!! It seems that as they hit vlan 10 interface, they get NAT'ed so it's source IP address gets changed to A.B.C.D. If i issue:

show ip nat nvi tranlsations | inc A.B.C.D i get this line:

tcp A.B.C.D:80 w.x.y.z:80 a.b.c.d:54502 a.b.c.d:54502

I think that this should be expected to happen, but i don't find a way to exlcude "inter vlan traffic" from the static nat statement!

Georg Pauwen · ‎06-18-2018

Hello,

do you have a default static route ?

Post the config of your router...

luchonat1 · ‎06-18-2018

Hello Georg:

The config is a lot more complicated, I've tried to reduce it to the minimal expression of the problem. It has PBR and static routes!

Georg Pauwen · ‎06-18-2018

Post your config...it doesn't matter if it's complicated...;)

luchonat1 · ‎06-18-2018

Here are the relevant and curated parts:

object-group network AlwaysThroughISP3
description This IP will always exit through TELECOM to the internet unless link is down
host 192.168.16.100
!
object-group network LocalNetworks
description All local networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
192.168.32.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatEnabled
description Internet Access Nat enabled networks
192.168.16.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.24.0 255.255.255.0
192.168.28.0 255.255.255.0
172.16.100.0 255.255.255.0
172.16.128.0 255.255.255.0
!
object-group network NatedThroughISP3
host 192.168.20.2
!

track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP1
ip address A.B.C.D 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP2
ip address E.F.G.H 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/3
description ISP3
switchport access vlan 100
no ip address
!
interface Vlan1
ip address 192.168.16.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan10
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan11
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
!
interface Vlan12
ip address 192.168.28.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3
!
interface Vlan21
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysTelecom
!
interface Vlan100
description ISP3
ip address I.J.K.L 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
!
ip local policy route-map router-local
ip forward-protocol nd
!
ip nat pool ISP1-pool A.B.C.D A.B.C.D prefix-length 24
ip nat pool ISP2-pool E.F.G.H E.F.G.H prefix-length 24
ip nat pool ISP3-pool I.J.K.L I.J.K.L prefix-length 29
ip nat source route-map ISP1-nat pool ISP1-pool overload
ip nat source route-map ISP2-nat pool ISP2-pool overload
ip nat source route-map ISP3-nat pool ISP3-pool overload
ip nat source static tcp 192.168.20.2 80 I.J.K.L 80 extendable
ip nat source static tcp 172.16.128.105 443 A.B.C.D 443 extendable
ip route 0.0.0.0 0.0.0.0 A.B.C.D 10 track 1
ip route 0.0.0.0 0.0.0.0 E.F.G.H 10 track 2
ip route 0.0.0.0 0.0.0.0 I.J.K.L 20 track 3
!
ip access-list extended ISP1_Local
permit ip host A.B.C.D any
permit icmp host A.B.C.D any
ip access-list extended ISP2_Local
permit ip host E.F.G.H any
permit icmp host E.F.G.H any
ip access-list extended ISP3_Local
permit ip host I.J.K.L any
permit icmp host I.J.K.L any
ip access-list extended LinuxServer
permit ip any host 192.168.20.2
ip access-list extended LinuxServerPorts
permit tcp any any eq www
ip access-list extended WindowsServer
permit ip any host 172.16.100.3
ip access-list extended WindowsServerPorts
permit tcp any any eq 443
ip access-list extended always-isp3-pbr
deny ip object-group AlwaysThroughISP3 object-group LocalNetworks
deny icmp object-group AlwaysThroughISP3 object-group LocalNetworks
permit ip object-group AlwaysThroughISP3 any
permit icmp object-group AlwaysThroughISP3 any
deny ip any any
deny icmp any any
ip access-list extended navigation-nat
deny ip object-group LocalNetworks object-group LocalNetworks
deny icmp object-group LocalNetworks object-group LocalNetworks
permit ip object-group NatEnabled any
permit icmp object-group NatEnabled any
deny ip any any
deny icmp any any
ip access-list extended static-nat-isp3-pbr
deny ip object-group NatedThroughISP3 object-group LocalNetworks
permit tcp object-group NatedThroughISP3 eq www any established
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-interface Vlan100
threshold 40
timeout 1000
frequency 3
ip sla schedule 3 life forever start-time now
!
route-map ISP3-nat permit 10
match ip address navigation-nat
match interface Vlan100
!
route-map ISP1-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/0
!
route-map router-local permit 10
match ip address ISP1_Local
set ip next-hop ISP1GW
!
route-map router-local permit 20
match ip address ISP2_Local
set ip next-hop ISP2GW
!
route-map router-local permit 30
match ip address ISP3_Local
set ip next-hop ISP3GW
!
route-map AlwaysISP3 permit 5
match ip address static-nat-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map ISP2-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/1
!
!

event manager applet CLEAR_NAT_ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_DOWN
event track 3 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_UP
event track 3 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
!
end

Georg Pauwen · ‎06-18-2018

Hello,

where is your access list 'always-telecom-pbr' ? Did you omit that, and if so, can you post it ?

interface Vlan10
ip address 192.168.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip policy route-map AlwaysISP3

!

route-map AlwaysISP3 permit 5
match ip address static-nat-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

luchonat1 · ‎06-18-2018

Sorry, I've just edited the post, it was a misspelling!

route-map AlwaysISP3 permit 5
match ip address static-nat-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-isp3-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

paul driver · ‎06-18-2018

Hello

Confirm are these 3 different subnets?

w.x.y.z is a host in vlan 10

a.b.c.d is a host in vlan 11

A.B.C.D is a public IP assigned to an interface

If so

Inter-vlan w.x.y.z <-->a.b.c.d traffic should t get natted , why do think it should?

However i see you are also policy routing on vlan 10 so what are you trying to achieve with this?

Note: Any traffic not defined in a PBR statement will get routed normally also the tracked next-hop address is considered reachable if the tracked object is up it will get PBR'd. Otherwise it will be rib routed ( normal routed)

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

luchonat1 · ‎06-18-2018

Yes, three different subnets.

Inter-vlan w.x.y.z <-->a.b.c.d traffic should t get natted , why do think it should?

It seems that it get's translated in the back path, because somehow it matches the ip nat source static statement! That's why I want to exclude the traffic!

PBR is used to set next-hop in packets that must be always-nated through isp 3 (overloaded) and the static nat in isp 3 interface, because there's no route to isp 3 if isp 1 AND isp 2 are up! (isps 1 and 2 have AD 10 in routeing table and 3 has AD 3, and all are tracked!)

Georg Pauwen · ‎06-18-2018

Hello,

make sure your spelling is correct, as I don't see that access list either.

ip access-list extended always-isp3-pbr

!

always-ISP3-pbr

Either way, I' try and lab this. In the meantime, I am not sure if you need an empty route map sequence to allow local traffic, which should look like this:

route-map AlwaysISP3 permit 5
match ip address static-nat-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3
!
route-map AlwaysISP3 permit 10
match ip address always-telecom-pbr
set ip next-hop verify-availability ISP3GW 10 track 3

!

route-map AlwaysISP3 permit 15

luchonat1 · ‎06-18-2018

route-map AlwaysISP3 permit 15 is not there anymore (it was there for testing... sorry for that)

always-ISP3-pbr is always-isp3-pbr

I've changed those names when i curated the config for posting

luchonat1 · ‎06-24-2018

Georg, I've created a new post, where I describe the problem in more detail:
https://supportforums.cisco.com/t5/wan-routing-and-switching/problem-with-nat-nvi-in-multihomed-router/td-p/3403107