12-23-2024 09:45 PM
Hello,
I am doing both on CML and on hardware the following configuration:
The goal is to configure NAT on the NAT_ROUTER using only 1 physical interface (G1.10), which will be on the INSIDE.
I have tried it with 2 subinterfaces, one as inside and one as outside, and it worked.
However, the next step is to get it to work using only 1 subinterface. For this, I created a Loopback interface and set it as the OUTSIDE:
Since the traffic from the users (from HOST1 which is in vlan 10.0.0.0 /24, and HOST1 has an interface VLAN 10 emulating a host with IP address 10.0.0.2 /24) gets routed before NATed when it goes through G1.10, I configued PBR to match that traffic (as you can see in the G1.10 screenshot) and place it on the loopback interface, which is on the OUTSIDE (next hop set by PBR is in network directly connected to lo0, 10.0.1.0 /30), so that way it gets NATed before routed:
Once my traffic with source 10.0.0.2 is placed in the loopback 0 interface on the OUTSIDE, NAT takes place and applies the following:
The source of my traffic from HOST 1 now should be 192.168.1.3. The destination is (for example) 100.100.100.100 (INET_SERV). The NAT router then routes traffic using the default route pointing to CMTS:
which is successfully installed in the RIB (in case someone was doubting). Once the traffic gets to CMTS, the rest of the path to INET_SERV is fine.
On the way back to HOST1, traffic from CMTS coming from INET_SERV has a source of 100.100.100.100 and a destination of 192.168.1.3. It gets to G1.10, but again matches PBR and gets placed on the loopback 0 interface:
Once traffic gets placed to the loopback0 interface, again is NATed before routed,. Since traffic has now a source of 100.100.100.100 and destination of 192.168.1.3, it should match the following NAT rule:
and the destination IP address of traffic should be translated to 10.0.0.2, which is HOST1 IP address, and finally traffic should get routed back to HOST1.
However, I might be doing something wrong or misunderstanding NAT or PBR, because traffic from HOST1 to INET SERV is reaching INET SERV, but NAT is not translating traffic in the NAT router. On the packet captures that I have done in the link between CMTS and INET_SERV, I see the ICMP request with source 10.0.0.2 and destination 100.100.100.100, which means that traffic goes through NAT router without getting translated. Traffic the cannot make it back since INET_SERV does not have a route to 10.0.0.0 /24. I know I could configure NAT on CMTS or a route to 10.0.0.0 /24 on INET_SERV to solve this, but the goal is to solve it from the NAT router.
I have tried this on hardware (CISCO 3650 port switch as L2SW and C1121X routers) and software (CML2.7.2) and no success. I have been stuck with this countless hours for many days.
Anyone knows what could be wrong, or if I am misunderstanding anything?
Thanks, any help is appreciated,
Juan
Solved! Go to Solution.
12-24-2024 04:40 AM
Friend
LO is outisde not inside.
Review his post and my comment.
MHM
12-24-2024 05:04 AM
Hello
@MHM Cisco World wrote:LO is outisde not inside.
Then hairpin will NOT work...
Note:
The source host packets need to loop back ( ip nat inside) then to be routed back out of gi1 (ip nat outside) for nat translation to work
12-24-2024 05:06 AM
It Work sure, I try it many times especially with IPsec.
anyway let me see his last coded after that I will talk
thanks to all
MHM
12-24-2024 04:55 AM
Hello Paul,
Thanks for interest. Your configuration looks good, I am going to try it now. Interesting to place G1 in outside and lo0 in inside, but place incoming traffic on lo0 with PBR and that way using NAT from inside to outside to translate the source from 10.0.0.2 to 192.168.1.2 (also very good point in putting 192.168.1.2 as primary IP address).
I will let know how it results, however I don't trust CML 100%
12-24-2024 05:03 AM
you want to NATing Host or LO ????
what are you try here ???
MHM
12-24-2024 05:07 AM
I am trying to NAT host. Is possible to do it as Paul said too, but not sure if it will work. will see, I am currently labbing
12-24-2024 05:44 AM
Hello,
I tried what Paul suggested, but nothing. I tried using the physical interfaces instead of subinterfaces. Also, if I try to use the set interface loopback0 command on PBR it pops an error:
I did the debug ip policy and it ended up saying that lo0 cannot be used for that. So I used a tunnel interface instead, and tthe debug show good. However, NAT translations are not happening.
I can ping from HOST1 to 192.168.1.2, so routing should be fine. Here is configuration for NAT router: (note the tunnel instead of lo0 for PBR and next-hop on tunnel subnet, I tried with set interface and still didn't work):
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel100
ip address 2.2.2.2 255.255.255.248
ip nat inside
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface GigabitEthernet1
ip address 10.0.0.1 255.255.255.0 secondary
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nat outside
ip policy route-map PBR
negotiation auto
no mop enabled
no mop sysid
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip nat inside source list public interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 192.168.1.1
!
ip access-list extended public
10 permit ip 10.0.0.0 0.0.0.255 any
!
!
!
route-map PBR permit 10
set ip next-hop 2.2.2.3
12-24-2024 06:01 AM - edited 12-24-2024 06:03 AM
hello
whats the tunnel interface for ?
you do not need it unless that is you have a topology setup different to your OP
all you require for this to work is:
from nat rtr
Be able to reach the inter-ser rtr and beyond viis its primary ip address and vice versa
Also from the nat rtr be able to reach the internal host via it secondary ip address
It that is all i place then just apply the mat harpin as per my previous post and it should work accordingly
as for the rtr complaining about the set interface - ignore it it should let you apply it anyway so change your route map to set interface loopbackx
12-24-2024 06:07 AM
Hello Paul,
when I use the set interface lo0 on the route map it does not work PBR:
12-24-2024 06:22 AM
This config must work for your Case
the Server see only LO IP and Host subnet is hidden behind NAT
12-24-2024 07:01 AM - edited 12-24-2024 07:02 AM
Hello MHM,
Thanks for the interest. I know that cfg works, because I labbed it before multiple times. The challenge is to make it work with 1 subinterface only hosting 2 IP addresses (1 primary, 1 secondary) and a loopback. Cisco proposes the following configuration, which I tried unsuccessfully:
Network Address Translation on a Stick - Cisco
Cisco presents a cfg with the lo0 as outside and G1 as inside
12-24-2024 07:16 AM
interface Ethernet0 ip address 192.168.1.2 255.255.255.0 secondary <<- this use to connect to CMTS ip address 10.0.0.2 255.255.255.0 ip Nat inside !--- Assigns a primary IP address of 10.0.0.2 and a secondary IP !--- address of 192.168.1.2 to Ethernet 0. Defines interface Ethernet 0 !--- as NAT inside. The 192.168.1.2 address will be used to communicate !--- through the CM to the CMTS and the Internet. The 10.0.0.2 address !--- will be used to communicate with the local hosts. ip policy route-map Nat-loop !--- Assigns route-map "Nat-loop" to Ethernet 0 for policy routing. ! ip Nat pool external 192.168.2.2 192.168.2.3 prefix-length 29 <<- different subnet use for NATing ip Nat inside source list 10 pool external overload ip Nat inside source static 10.0.0.12 192.168.2.1
thanks for sharing the link
the issue is between subnet connect NAT router and CMTS and subnet use in NAT
correct it and it will work
MHM
12-24-2024 06:30 AM - edited 12-24-2024 06:31 AM
Hello
@MHM Cisco World @JUANNN
you do not need to apply any routable ip address to the loopback the cfg i post in relation to the OP should work providing
communication between the nat rtr and the external rtr via the primary subnet 192.168.1.X works
@JUANNN as for the route map not letting to specify the loopnack interface that could be down to the CML software you could try ip next-hop 1.1.1.1 it may let you do it
I dont have access to any simulation software at present to test for you but cfg i applied should work
12-24-2024 06:37 AM
alternatively to domain nat you can try and use domain-less nat ( no inside/outside domains )
int x/x
ini ip ant inside-outside
ip nat enable
no ii nat inside source-list xxx
ip nat source-list xxx
12-24-2024 07:04 AM
Hello Paul
I believe NAT VI (domainless NAT) is not supported on CML or otherwise I don't know how to enable it, since I have tried multiple times to do it. It takes the ip nat enable commands but not the ip nat source .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide