Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3715
Views
30
Helpful
18
Replies

IOS-EX Static NAT on Secondary IP address

Go to solution
AllertGen
Level 3
Level 3

‎10-06-2015 03:14 PM - edited ‎03-05-2019 02:28 AM

Hi everyone.

Not much time ago we bought a ISR 4451-X with IOS-EX OS on it. And now we have some problems with static nat rules. Here is a confog for NAT Rules:

interface Port-channel1.100
 description ---To_Internal_Network---
 bandwidth 1048576
 encapsulation dot1Q 100
 ip address 10.X.X.X 255.255.255.248
 ip nat inside
 delay 1000
exit

interface GigabitEthernet0/0/2
 description ---- ISP Beeline (inet) -----
 bandwidth 50000
 ip address X.X.X.226 255.255.255.248 secondary
 ip address X.X.X.227 255.255.255.248 secondary
 ip address X.X.X.228 255.255.255.248 secondary
 ip address X.X.X.230 255.255.255.248 secondary
 ip address X.X.X.229 255.255.255.248 secondary
 ip address Y.Y.Y.230 255.255.255.252
 ip nat outside
 media-type rj45
 negotiation auto
 no cdp enable
exit

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.229

ip nat inside source list 110 interface GigabitEthernet0/0/2 overload
ip nat inside source static 10.X.X.253 X.X.X.227 extendable

 

ACL 110 has a permiteble rules for internal devices to internet. The host 10.X.X.253 presents at this rules.

 

So my problem is when I'm adding a line with static NAT rule (ip nat inside source static 10.X.X.2 X.X.X.229 extendable) a device 10.X.X.253 can't communicate by TCP or UDP protocols. But ICMP works well in both directions. I have response from X.X.X.229 at the internet and my device 10.X.X.253 can ping anything at the internet. But I can't connect to the device from the internet by TCP or UDP traffic (for example via Web traffic or DNS) and I can't connect to the internet from 10.X.X.253 device. But as soon as I delete line ip nat inside source static 10.X.X.253 X.X.X.227 extendable my device can connect to the internet freely.

I had a 3925 router before and all this rules did work well on it.

 

Any Ideas?

 

Here is some additional information:

#sh ver
Cisco IOS XE Software, Version 03.15.01c.S - Standard Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S1c, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Sat 15-Aug-15 21:40 by mcpre

When I'm trying to get access to the internet from 10.X.X.253:

sh ip nat tran | i 10.X.X.253                       
---  X.X.X.227        10.X.X.253           ---                   ---
tcp  X.X.X.227:50141  10.X.X.253:50141     X.X.233.56:80      X.X.233.56:80
tcp  X.X.X.227:50143  10.X.X.253:50143     X.X.233.56:80      X.X.233.56:80
tcp  X.X.X.227:50142  10.X.X.253:50142     X.X.233.56:80      X.X.233.56:80

I also tryed to use ACLs at the interfaces with log command to find out how the traffic goes. It went at this way (at the time when I tryed get access to the internet): 10.X.X.253 -> router (hit appears), X.X.X.227 -> X.X.233.56 (hit appears), [Response] X.X.233.56 -> X.X.X.227 (hit appears), router -> 10.X.X.253 (no mathes at the OUT ACL on Port-Channel 1.100 interface).

 

Problem solved. Solution at the end of the topic!

 

Best Regards.

Labels:
0 Helpful
18 Replies 18

Go to solution
AllertGen
Level 3
Level 3
In response to Jon Marshall

‎10-08-2015 12:55 PM

Hi, Jon Marshall, Peter Paluch.

I finnaly had time to contact my ISP and there is resoults.

My ISP also have 2 IP address (X.X.X.225 and Y.Y.Y229) from each network at the interface to my side and anonce this 2 networks to the Internet. So when there is packet from the Internet to X.X.X.227 it send an ARP request to my router and waiting for an answer. And it sends packet to me only if there is ARP record exists at they side. My router can answer this request only if I have secondary IP addresses at the interface. if i don't have secondary IP addresses on the interface it don't answer ARP requests no matter do I have "ip proxy-arp" command on it or not.

And I undestood how traffic goes if I do have secondary address at the interface. First is my router is do send ARP responses to my ISP. Second is static NAT works for "in to out" traffic (this is why I see them at the NAT table and see). But when my router gots packets from the Internet (this is why I see hits at the ACL) to the port (and as I think it does the same with a traffic fron inside traffic after NAT changes) it think that this traffic is for my router and drops it (because there is no services at my router at this ports). So if there is packet from the internet the router get it and drops. If it's a traffic from internal network it uses NAT rules and drops them after doing NAT changes. Very funny....

So I asked my ISP to make a static ARP records for all my secondary IP addresses. They will do it tommorow (because they need approve of manager that works with our company) and I'll tell you if this helps me or not. Also I'm opening a bug report to the TAC...

PS I think ISP can't use a route policy with rule "if dest IP = X.X.X.227 send it to the ethernet port XX" because there is switch between our and they router. And for ISP it much easer to make a static ARP records instead of deleting a X.X.X.225 address at the ISP interface and do a static route (like ip route X.X.X.227 255.255.255.255 Y.Y.Y.230) redestribute to the routing protocols...

Best Regards.

Go to solution
AllertGen
Level 3
Level 3
In response to AllertGen

‎10-12-2015 02:28 PM

Hi, everyone.

 

Ok, so my resaults so far:

1. Cisco TAC tested my case and asked for some time to make a LAB test of my problem. They couldn't find a source of the problem via a remote connection. BTW they told me that the source of the problem could be because of the Port_Channel interface.

2. My ISP can't make a static ARP records, because they should do it at the core device. They can't do it until they could install some additional device at my place (because they don't want to do anything with they core device and I can undenstadn them). It will take a lot of time (to add one more device) so I didn't agree with this solution.

3. I asked ISP to delete a secondary IP address at they side and I deleted all secondary IP addresses at my side. Also they did a route like X.X.X.224/29 to my primary IP address. This solutions is working fine. But I'm still testing it and I already passed 15 minutes of my ISP ARP cache timeout. Hope it will not brake any time soon :)

If there will be a solution from a Cisco TAC I'll update this topic.

 

Best Regards.

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to AllertGen

‎10-13-2015 08:40 AM

The solution of the ISP using a route instead of secondary IPs is the by far the commonest one so I think you should be okay.

Jon

0 Helpful

Go to solution
AllertGen
Level 3
Level 3
In response to Jon Marshall

‎10-16-2015 12:05 PM

Hello, everyone.

 

I have an answer from a Cisco TAC. This one of the limitations of a IOS-EX. You can use IP addresses of the interfaces only if you use it at the dynamic NAT with overload.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-addr-consv.html#reference_255FB71880424C21A193DF9BC9B2F957

So case is closed and there is no better solution than I have right now.

 

Thanks everyone for your help and your time.

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents