Re: IP NAT questions

fredluneau · ‎05-10-2022

seeking guidance. I have an ISR4331 version 17.3.5 and working to configure NAT and having difficulty. Consider the g0/0/0 interface the inside and G0/0/1 the outside. TCP traffic initiates from the outside. Source /24 network will target an IP address that will be NAT'd to an inside global (as the destination address). Traffic from the outside network is to be translated to a secondary IP on the inside interface. The following are the NAT statements used in the configuration -

ip nat inside source static 10.240.1.11 172.16.30.67
ip nat inside source static 10.240.1.12 172.16.31.149
ip nat outside source static network 172.31.240.0 192.168.100.165 /32

MHM Cisco World · ‎05-10-2022

can you more elaborate?
but
ip nat inside will nat INSDIE-LOCAL ->> INSIDE-GLOBAL
ip nat outside will nat OUTSIDE-LOCAL ->> OUTSIDE-GLOBAL

fredluneau · ‎05-10-2022

The inside source static commands appeared to work as needed until I added the outside source static network command. The intent there was to source NAT any traffic coming from the outside 172.31.240.0 network to the IP address on the inside of the router. Is there not a way to do that?

MHM Cisco World · ‎05-10-2022

I think that it work except that
check
show ip nat translation
there are two entry
one is static
other is dynamic
this dynamic will be in table for timeout "tcp timeout"
when the traffic come from outside
the router will check this table and if the OUT-GLOBAL is appear it will not use IP nat outside
it will use this nat table and hence the ip nat outside failed.
solution use full extend NAT.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html

paul driver · ‎05-10-2022

Hello

@fredluneau wrote:

ip nat inside source static 10.240.1.11 172.16.30.67
ip nat inside source static 10.240.1.12 172.16.31.149

Inside local Inside global
10.240.1.11 172.16.30.67
10.240.1.12 172.16.31.149

These two statements will be stateful, meaning any initiation from any outside host made towards these natted inside global addresses will connect to those two internal hosts inside local addresses.

Alternatively any traffic initiation from those two internal host (inside local) to any external host will be seem from rignationing via thier respective natted inside global addressing.

@fredluneau wrote:

CP traffic initiates from the outside. Source /24 network will target an IP address that will be NAT'd to an inside global (as the destination address). Traffic from the outside network is to be translated to a secondary IP on the inside interface.

ip nat outside source static network 172.31.240.0 192.168.100.165 /32

This static outside statement looks incorrect as it is stating 172.31.240.0 network will be seen internally if internal users initiate connection via host 192.168.100.165 which is PAT in reverse which make no sense

However, a more applicable statement would be NAT on host type.to an additional address for your internal network

ip nat outside source static network 172.31.240.0 172.31.241.0 /24 no alias
ip route 172.31.241.0 255,255.255.0 <wan interface>

The above statement would translate any source traffic from 172.31.240.0/24 to 172.31.241.0 /24 on matching host type

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fredluneau · ‎05-11-2022

Paul,

Just want to be sure I communicated this acurately. To confirm, traffic is initiated from the outside(WAN) which is an AWS network, 172.31.240.0 should be translated to a single /32 address to traverse the inside network. You had indicated this is something similar to PAT but in reverse, and does not make sense. This is in fact what I am trying to do. We do not want to route this AWS network over our internal network.

Fred

paul driver · ‎05-11-2022

Hello

@fredluneau wrote:

To confirm, traffic is initiated from the outside(WAN) which is an AWS network, 172.31.240.0 should be translated to a single /32 address to traverse the inside network. You had indicated this is something similar to PAT but in reverse, and does not make sense. We do not want to route this AWS network over our internal network.

Maybe I am not understanding your topology but now you mention AWS!
When you say internal network do you mean AWS internal VPC instances?

And you want to provide these public internet access? If so I guess you would require to procure at least a nat gateway/instance for your AWS internal vpc’s nat 1-to-1 mappings and possibly AWS internet gateway if you have private and public s3 services requiring external translation

I am way of the mark here, If so please share a topology diagram of what you are trying to achieve

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fredluneau · ‎05-11-2022

I have attached a diagram which represents what we are trying to accomplish. The connectivity is a point to point VPN which we have established. The connectivity originates from AWS.

Thanks in advance for the help

Fred

MHM Cisco World · ‎05-11-2022

Are you ever see Doc. I attach ?
you can use route-map with IP NAT to make router select the IP NAT statement.
route-map match ACL which specify source and destination.
when the ACL match the route-map will hit the IP NAT statement for that source-> destination.

fredluneau · ‎05-11-2022

I am reading through that document link now. Thanks

paul driver · ‎05-12-2022

Hello

@fredluneau

Thanks for the diagram however for me its not providing a NAT solution its understanding your requirements, maybe others on here can understand but at present its not sinking in.

Looking at your diagram it looks like you are or want to perform twice nat from the customer FW towards the host core network.

However in your OP you state you are performing nat on an ASR which isn't a Fw its a RTR with the current static nat statements suggesting the NAT resides on the Customer firewall
"inside source static 10.240.1.x"

Do you administration over the Customer firewall as well as the host core ASR rtr?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fredluneau · ‎05-12-2022

Hello.

The diagram was originally authored by another source, I just re-purposed it. The icon at the customer edge is representing the ISR4331 where the NAT will ocurr. There are two NAT operations in our application. The first NAT operation, which is providing a inside local /32 address for the AWS host to target at the core banking system for the connection initiated. The second NAT operation is a outside source NAT changing the AWS source IP to one which we can route over our internal network to the core banking application.

I hope this clears up any questions, doing the best I can to describe.

MHM Cisco World · ‎05-12-2022

I will make you so sure what we need full extend NAT,
clear ip nat translation <- do this more than one times
do ping from outside you will see that NAT is work, since there is no entry in NAT table.

fredluneau · ‎05-12-2022

hello,

including my configuration for NAT. My ip nat inside source static config statements are now correct. I had to reverse my logic for inside local and inside global. Now when the AWS host targets 10.240.1.11 the destination address as it leaves the router is the desired destination address. Still having trouble with the ip nat outside source route-map statement. This piece should NAT any AWS host coming from src 172.31.240.0/24 to src 192.168.100.165 (secondary IP on inside interface):

my current config;

ip nat pool pool-aws 172.31.240.1 172.31.240.254 prefix-length 24
ip nat inside source static 172.16.30.67 10.240.1.11 (this appears to work}
ip nat inside source static 172.16.31.149 10.240.1.12 (this appears to work)
ip nat outside source route-map map-aws pool pool-aws

!

route-map map-aws permit 10
match ip address 100

!

Extended IP access list 100
10 permit ip 172.31.240.0 0.0.0.255 host 192.168.100.165 log

Thanks in advance for your assistance

MHM Cisco World · ‎05-12-2022

route-map map-aws permit 10
match ip address 100

!

Extended IP access list 100
10 permit ip 172.31.240.0 0.0.0.255 any

!

ip nat pool pool-awe 192.168.100.165
!
ip nat outside source route-map map-aws pool pool-aws

try this way.