Hello,
I am doing both on CML and on hardware the following configuration:
The goal is to configure NAT on the NAT_ROUTER using only 1 physical interface (G1.10), which will be on the INSIDE.
I have tried it with 2 subinterfaces, one as inside and one as outside, and it worked.
However, the next step is to get it to work using only 1 subinterface. For this, I created a Loopback interface and set it as the OUTSIDE:
Since the traffic from the users (from HOST1 which is in vlan 10.0.0.0 /24, and HOST1 has an interface VLAN 10 emulating a host with IP address 10.0.0.2 /24) gets routed before NATed when it goes through G1.10, I configued PBR to match that traffic (as you can see in the G1.10 screenshot) and place it on the loopback interface, which is on the OUTSIDE (next hop set by PBR is in network directly connected to lo0, 10.0.1.0 /30), so that way it gets NATed before routed:
Once my traffic with source 10.0.0.2 is placed in the loopback 0 interface on the OUTSIDE, NAT takes place and applies the following:
The source of my traffic from HOST 1 now should be 192.168.1.3. The destination is (for example) 100.100.100.100 (INET_SERV). The NAT router then routes traffic using the default route pointing to CMTS:
which is successfully installed in the RIB (in case someone was doubting). Once the traffic gets to CMTS, the rest of the path to INET_SERV is fine.
On the way back to HOST1, traffic from CMTS coming from INET_SERV has a source of 100.100.100.100 and a destination of 192.168.1.3. It gets to G1.10, but again matches PBR and gets placed on the loopback 0 interface:
Once traffic gets placed to the loopback0 interface, again is NATed before routed,. Since traffic has now a source of 100.100.100.100 and destination of 192.168.1.3, it should match the following NAT rule:
and the destination IP address of traffic should be translated to 10.0.0.2, which is HOST1 IP address, and finally traffic should get routed back to HOST1.
However, I might be doing something wrong or misunderstanding NAT or PBR, because traffic from HOST1 to INET SERV is reaching INET SERV, but NAT is not translating traffic in the NAT router. On the packet captures that I have done in the link between CMTS and INET_SERV, I see the ICMP request with source 10.0.0.2 and destination 100.100.100.100, which means that traffic goes through NAT router without getting translated. Traffic the cannot make it back since INET_SERV does not have a route to 10.0.0.0 /24. I know I could configure NAT on CMTS or a route to 10.0.0.0 /24 on INET_SERV to solve this, but the goal is to solve it from the NAT router.
I have tried this on hardware (CISCO 3650 port switch as L2SW and C1121X routers) and software (CML2.7.2) and no success. I have been stuck with this countless hours for many days.
Anyone knows what could be wrong, or if I am misunderstanding anything?
Thanks, any help is appreciated,
Juan
Hello,
Things are looking almost perfect now.
I have followed the Cisco cfgs and CML now shows me NAT translations done correctly, PBR working properly even with a tunnel interface and packets from Host1 reaching CMTS lo0 ip add (6.6.6.6) and CMTS does NOT have a route to 10.0.0.0/24.
NAT ROUTER cfgs
Here are the packet captures that prove that NAT is working. Note that 10.0.0.2 is Host1 and 10.0.0.1 is NAT router G1 primary IP:
But like I said, is almost perfect. The problem, as you can see, is that I am missing the last ICMP reply that is supposed to be
- source: 6.6.6.6
- dest: 10.0.0.2
So there is still a little issue in NAT router when returning traffic from CMTS comes back. Any thougths? I will try using loopback instead of tunnel, and check ACLs.
There it is my friends, the end of this painful but interesting LAB. This was the missing command that Cisco does not include in their configs, and is the key to understand how PBR works with NAT: (from what I can deduct):
1. Traffic from Host1 with source 10.0.0.2 and dest 6.6.6.6 enters NATrouter via G1, INSIDE
2. PBR goes before Routing Table Routing and before NAT on the INSIDE, so traffic is routed to interface tunnel 100, which is on the OUTSIDE. On that trip inside-outside, traffic source gets translated by NAT from 10.0.0.2 to 192.168.2.2.
3. Once in the OUTSIDE on interface tunnel 100, traffic gets routed using the default route to CMTS, and reaches 6.6.6.6. This means that even if NAT attempts to act in the OUSTIDE-INSIDE trip (from int tunnel to G1) it would NOT matter because the ACL 10 does not match the traffic with source 192.168.1.2 destination 6.6.6.6.
4. Traffic returns from CMTS to NATrouter, traffic has source 6.6.6.6 dest 192.168.2.2. Enters G1 INSIDE, PBR takes place (ACL 102 matches also this traffic) and routes traffic to int tunnel 100. NAT acts again in this INSIDE OUTSIDE trip with the command that I just added, changing destination of trafffic from 192.168.2.2 to 10.0.0.2.
5. Finally, traffic departs from int tunnel 100 towards 10.0.0.2, and source remains 6.6.6.6 It does not match any NAT ACL, so NAT does not act on this OUTSIDE-INSIDE trip, and then traffic gets sent to Host1!!
After 12 hours on my own and almost 12 hours on the Cisco Community, there is a soultion that works and makes sense.
Thanks to Paul Driver and MHM for their interest and dedication.
Regards,
juan
