Solved: Re: Guestshell - Not able to access outside - vrf/routing question

_|brt.drml|_ · ‎03-16-2021

Hi there,

For our monitoring and automation research I'm newbie in this solution.

I followed the cisco information for the configuration.

However

I think to achieve access the topolopgy is as next:

- vrf with public access using a VLAN and Loopback. This public access works on the router and is the way we function.

So 'sh ip route vrf PUBLIC' shows that all is running.

The ping vrf to 8.8.8.8 works on the router

I did:

virtualportgroup 0

vrf forwarding PUBLIC

ip address 192.168.35.1 255.255.255.0

ip nat inside

--

int vlan29 (Is already accessing the correct VRF -> ping 8.8.8.8 with this as source is ok)
ip nat outside
exit
!
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.2 netmask 255.255.255.0
app-default-gateway 192.168.35.1 guest-interface 0
name-server0 8.8.8.8
!

and then NAT:

ip nat inside source list NAT_ACL interface Vlan29 vrf PUBLIC overload

---

the ACL

permit 192.168.0.0 0.0.255.255

What does work:

guestshel run ping 'interface virtualportgroup' & 'vlan' -> all work

guestshel run ping 8.8.8.8 fails

I guess a routing or nat issue... But I'm a bit lost in the 'virtual' nic setup. Any help is greatly welcome.

Thank you

Bart

_|brt.drml|_ · ‎03-18-2021

Harold,

I did that line before.

However: after update of the ios Gibraltar to 'Amsterdam' and then 'guestshell destroy'

adding IP NAT OUTSIDE on the tunnel interface

Result:

LAB-ISR-092-01#guestshell run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=10.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=10.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=10.4 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 10.148/10.241/10.384/0.155 ms

It works!

Thank you for the support and keep safe !

Bart

View solution in original post

Harold Ritter · ‎03-16-2021

I have a similar configuration on a CSR1000v and it works like a charm. I use a physical interface as the outside interface, as opposed to a vlan interface. What type of device do you use? Any possibility of using a physical interface instead of the plan interface? Also, could you include the output of a "show ip nat tr" from the router after performing a ping from the guestshell.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

D@1984 · ‎01-04-2022

Hi,

Do I have to configure the nat?

Thanks

D@1984 · ‎01-04-2022

platform is 8300.

Thanks

Harold Ritter · ‎01-04-2022

Hi D@1984 ,

NAT is not a must, but it helps hiding the private network between the router and the guest shell to the rest of the network.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

_|brt.drml|_ · ‎03-16-2021

Hi Harold.

No, I guess not, the reason is that we build the different VPN. It is the VPN that is delivering the different networks. So I have to keep to that design. With the build in server I used a free space in our addressing space, probably this can help?

The different networks are corporate and a separate social. I probably need that social for updating the guestshell with Git so I can download my scripts on the device. (So far my knowledge).

The device:

Cisco IOS XE Software, Version 16.12.03
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.3, RELEASE SOFTWARE (fc5)

hardware; cisco ISR4451-X/K9

_|brt.drml|_ · ‎03-16-2021

O forgot output after a test:

LAB-ISR-092-01#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
--- 10.29.151.176 192.168.35.0 --- ---
Total number of translations: 1

And I guess that needs to be inside and outside, not twice inside?

Harold Ritter · ‎03-17-2021

The issue definitely seems to be with the NAT.

Could you change the NAT config as follow:

ip access-list extended NAT_ACL

10 permit ip 192.168.35.0 0.0.0.255 any

Try ping from guestshell and show ip nat tr

If that does not work, you could try with addressing that does not need to be natted.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

_|brt.drml|_ · ‎03-18-2021

Harold,

I did that line before.

However: after update of the ios Gibraltar to 'Amsterdam' and then 'guestshell destroy'

adding IP NAT OUTSIDE on the tunnel interface

Result:

LAB-ISR-092-01#guestshell run ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=10.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=10.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=10.4 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 10.148/10.241/10.384/0.155 ms

It works!

Thank you for the support and keep safe !

Bart