cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
2
Helpful
35
Replies

ISSUE WITH NAT ON A STICK using Loopback

JUANNN
Level 1
Level 1

Hello,

I am doing both on CML and on hardware the following configuration:

JUANNN_3-1735018571502.png

The goal is to configure NAT on the NAT_ROUTER using only 1 physical interface (G1.10), which will be on the INSIDE.

JUANNN_4-1735018618815.png

I have tried it with 2 subinterfaces, one as inside and one as outside, and it worked.

However, the next step is to get it to work using only 1 subinterface. For this, I created a Loopback interface and set it as the OUTSIDE:

JUANNN_5-1735018672557.png

Since the traffic from the users (from HOST1 which is in vlan 10.0.0.0 /24, and HOST1 has an interface VLAN 10 emulating a host with IP address 10.0.0.2 /24) gets routed before NATed when it goes through G1.10, I configued PBR to match that traffic (as you can see in the G1.10 screenshot) and place it on the loopback interface, which is on the OUTSIDE (next hop set by PBR is in network directly connected to lo0, 10.0.1.0 /30), so that way it gets NATed before routed:

JUANNN_6-1735018714432.png

JUANNN_7-1735018732315.png

Once my traffic with source 10.0.0.2 is placed in the loopback 0 interface on the OUTSIDE, NAT takes place and applies the following:

JUANNN_8-1735018761604.png

The source of my traffic from HOST 1 now should be 192.168.1.3. The destination is (for example) 100.100.100.100 (INET_SERV). The NAT router then routes traffic using the default route pointing to CMTS:

JUANNN_9-1735018791637.png

which is successfully installed in the RIB (in case someone was doubting). Once the traffic gets to CMTS, the rest of the path to INET_SERV is fine.

On the way back to HOST1, traffic from CMTS coming from INET_SERV has a source of 100.100.100.100 and a destination of 192.168.1.3. It gets to G1.10, but again matches PBR and gets placed on the loopback 0 interface:

JUANNN_10-1735018831067.png

Once traffic gets placed to the loopback0 interface, again is NATed before routed,. Since traffic has now a source of 100.100.100.100 and destination of 192.168.1.3, it should match the following NAT rule:

JUANNN_11-1735018855815.png

and the destination IP address of traffic should be translated to 10.0.0.2, which is HOST1 IP address, and finally traffic should get routed back to HOST1.

However, I might be doing something wrong or misunderstanding NAT or PBR, because traffic from HOST1 to INET SERV is reaching INET SERV, but NAT is not translating traffic in the NAT router. On the packet captures that I have done in the link between CMTS and INET_SERV, I see the ICMP request with source 10.0.0.2 and destination 100.100.100.100, which means that traffic goes through NAT router without getting translated. Traffic the cannot make it back since INET_SERV does not have a route to 10.0.0.0 /24. I know I could configure NAT on CMTS or a route to 10.0.0.0 /24 on INET_SERV to solve this, but the goal is to solve it from the NAT router.

I have tried this on hardware (CISCO 3650 port switch as L2SW and C1121X routers) and software (CML2.7.2) and no success. I have been stuck with this countless hours for many days.

 

Anyone knows what could be wrong, or if I am misunderstanding anything?

 

Thanks, any help is appreciated,

Juan

 

 

 

35 Replies 35

Friend 

LO is outisde not inside.

Review his post and my comment.

MHM

Hello


@MHM Cisco World wrote:

LO is outisde not inside.



Then hairpin will NOT work...

Note:
The source host packets need to loop back ( ip nat inside) then to be routed back out of gi1 (ip nat outside) for nat translation to work


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

It Work sure, I try it many times especially with IPsec.

anyway let me see his last coded after that I will talk 

thanks to all 

MHM

Hello Paul,

Thanks for interest. Your configuration looks good, I am going to try it now. Interesting to place G1 in outside and lo0 in inside, but place incoming traffic on lo0 with PBR and  that way using NAT from inside to outside to translate the source from 10.0.0.2 to 192.168.1.2 (also very good point in putting 192.168.1.2 as primary IP address). 

I will let know how it results, however I don't trust CML 100%

you want to NATing Host or LO ????

what are you try here ???

MHM

JUANNN
Level 1
Level 1

I am trying to NAT host. Is possible to do it as Paul said too, but not sure if it will work. will see, I am currently labbing

JUANNN
Level 1
Level 1

Hello,

I tried what Paul suggested, but nothing. I tried using the physical interfaces instead of subinterfaces. Also, if I try to use the set interface loopback0 command on PBR it pops an error: 

JUANNN_0-1735047478261.png

I did the debug ip policy and it ended up saying that lo0 cannot be used for that. So I used a tunnel interface instead, and tthe debug show good. However, NAT translations are not happening.

I can ping from HOST1 to 192.168.1.2, so routing should be fine. Here is configuration for NAT router: (note the tunnel instead of lo0 for PBR and next-hop on tunnel subnet, I tried with set interface and still didn't work):

interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel100
ip address 2.2.2.2 255.255.255.248
ip nat inside
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface GigabitEthernet1
ip address 10.0.0.1 255.255.255.0 secondary
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nat outside
ip policy route-map PBR
negotiation auto
no mop enabled
no mop sysid

ip forward-protocol nd
no ip http server
ip http secure-server
!
ip nat inside source list public interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.1.1
!
ip access-list extended public
10 permit ip 10.0.0.0 0.0.0.255 any
!
!
!
route-map PBR permit 10
set ip next-hop 2.2.2.3

 

hello
whats the tunnel interface for ?
you do not need it unless that is you have a topology setup different to your OP
all you require for this to work is:

from nat rtr
 Be able to reach the inter-ser rtr and beyond viis its primary ip address and vice versa 
Also from the nat rtr be able to reach the internal host via it secondary ip address 
It that is all i place then just apply the mat harpin as per my previous post and it should work accordingly 

as for the rtr complaining about the set interface - ignore it it should let you apply it anyway so change your route map to set interface loopbackx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul, 

when I use the set interface lo0 on the route map it does not work PBR:

JUANNN_0-1735049177006.png

 

 

This config must work for your Case 
the Server see only LO IP and Host subnet is hidden behind NAT

JUANNN_3-1735018571502.png

Hello MHM,

Thanks for the interest. I know that cfg works, because I labbed it before multiple times. The challenge is to make it work with 1 subinterface only hosting 2 IP addresses (1 primary, 1 secondary) and a loopback. Cisco proposes the following configuration, which I tried unsuccessfully:

JUANNN_1-1735052429054.png

Network Address Translation on a Stick - Cisco

Cisco presents a cfg with the lo0 as outside and G1 as inside

 

interface Ethernet0
 ip address 192.168.1.2 255.255.255.0 secondary <<- this use to connect to CMTS
 ip address 10.0.0.2 255.255.255.0
 ip Nat inside

!--- Assigns a primary IP address of 10.0.0.2 and a secondary IP !--- address of 192.168.1.2 to Ethernet 0. Defines interface Ethernet 0 !--- as NAT inside. The 192.168.1.2 address will be used to communicate !--- through the CM to the CMTS and the Internet. The 10.0.0.2 address !--- will be used to communicate with the local hosts. 
 

 ip policy route-map Nat-loop

!--- Assigns route-map "Nat-loop" to Ethernet 0 for policy routing.

!
ip Nat pool external 192.168.2.2 192.168.2.3 prefix-length 29 <<- different subnet use for NATing ip Nat inside source list 10 pool external overload
ip Nat inside source static 10.0.0.12 192.168.2.1

thanks for sharing the link 
the issue is between subnet connect NAT router and CMTS and subnet use in NAT 

correct it and it will work

MHM

Hello
@MHM Cisco World @JUANNN 
you do not need to apply any  routable ip address to the loopback the cfg i post in  relation to the OP should work providing 
communication between the nat rtr and the external rtr via the primary subnet 192.168.1.X works
@JUANNN  as for the route map not letting to specify the loopnack interface that could be down to the CML software you could try ip next-hop 1.1.1.1 it may let you do it 

I dont have access to any simulation software at present to  test for you but cfg i applied should work 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

alternatively to domain nat you can try and  use domain-less nat ( no  inside/outside domains )

int x/x
ini ip ant inside-outside
ip nat enable

no ii nat inside source-list xxx
ip nat source-list xxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul

I believe NAT VI (domainless NAT) is not supported on CML or otherwise I don't know how to enable it, since I have tried multiple times to do it. It takes the ip nat enable commands but not the ip nat source .

Review Cisco Networking for a $25 gift card