Solved: Legacy NAT issue against NAT virtual interfaces

esteban.r · ‎05-30-2018

Dear Community

I have to install routers IR809 on several sites covered by 3/4G for monitoring and maintenance purpose. These routers must be connected to the monitoring center (MC) by EasyVPN through 4G network. (We cannot setup VPN IPSEC L2L because ISP can only provide private IP for 4G connection)

I need to monitor equipments on these sites (mainly by ICMP and SNMP) from the monitoring center but the equipement on-site don't have the IR809 as default gateway. As a result, I must NAT traffic coming from the MC to one IR809 interface with an IP in the same subnet than my equipment on my IR809, allowing the monitoring center to initiate the communication with the equipment

On my lab, the EasyVPN is correctly established between the MC and the IR809 acting as the EsayVPN client.

1- If I configure my equipement on site to have the IR809 as default gateway, it works properly. I can send/receive traffic from both sense

2- If I configure my equipment to have another router than my IR809 router as default gateway and when applying the legacy NAT configuration "ip nat inside/ip nat outside" on interfaces, it works properly as well.

My issue concerns "NAT Virtual interface" which is configured by default in the router configuration. If I reset the VPN connection or reload the router, I loose my legacy NAT configuration. I don't understand why the router come back to the default NAT configuration.

Your assistance would be helpful

Thanks in advance

Georg Pauwen · ‎05-31-2018

Hello,

your default route points to Cellular0, which is the NAT inside. This might be the problem. I cannot really figure out from your original post what your logical setup looks like and what NAT is supposed to do.

At the very least, you need a default route pointing to a NAT outside interface, which in your case is GigabitEthernet0.

Try and change the default route to:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

and check if at least the config stays the same after reload (obviously save it to memory first)...

View solution in original post

Georg Pauwen · ‎05-30-2018

Hello,

--> If I reset the VPN connection or reload the router, I loose my legacy NAT configuration. I don't understand why the router come back to the default NAT configuration.

Post both the configuration before and after the reload.

esteban.r · ‎05-31-2018

Hello Georg

Thanks for your prompt reply.

Please find configuration of EZVPN client before reload and after reload here-enclosed

Hereunder the "show version" output:

Cisco IOS Software, ir800 Software (ir800-UNIVERSALK9-M), Version 15.5(3)M4a, RELEA
SE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 06-Oct-16 15:56 by prod_rel_team

ROM: Bootstrap program is IR800

RTR-MON-VLLB uptime is 43 minutes
System returned to ROM by CLI initiated reload at 07:03:58 UTC Thu May 31 2018
System image file is "flash:/ir800-universalk9-mz.SPA.155-3.M4a"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco IR809G-LTE-GA-K9 (revision 0.0) with 373760K/52224K bytes of memory.
Processor board ID FCW211500L2
Last reset from CLI initiated reload

FPGA version: 2.0.0

BIOS: version 8 Production
BIOS: date[YYYY/MM/DD] :[2015/6/2]

2 Serial(sync/async) interfaces
3 Gigabit Ethernet interfaces
8 terminal lines
2 Cellular interfaces
DRAM configuration is 72 bits wide with parity disabled.
256K bytes of non-volatile configuration memory.
976562K bytes of ATA System Flash (Read/Write)
250000K bytes of ATA Bootstrap Flash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*1        IR809G-LTE-GA-K9      FCW211500L2

Suite License Information for Module:'ir800'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------

Technology Package License Information for Module:'ir800'

------------------------------------------------------------------------
Technology    Technology-package                  Technology-package
              Current              Type           Next reboot
------------------------------------------------------------------------
ipbase        ipbasek9             Permanent      ipbasek9
security      securityk9           Permanent      securityk9
data          datak9               Permanent      datak9

Configuration register is 0x102

Georg Pauwen · ‎05-31-2018

Hello,

your default route points to Cellular0, which is the NAT inside. This might be the problem. I cannot really figure out from your original post what your logical setup looks like and what NAT is supposed to do.

At the very least, you need a default route pointing to a NAT outside interface, which in your case is GigabitEthernet0.

Try and change the default route to:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

and check if at least the config stays the same after reload (obviously save it to memory first)...

esteban.r · ‎05-31-2018

Hello George

In my first post, I attached the diagram of my setup.

The Monitoring Center use IP subnet 192.168.100.0/24

The Monitoring system is 192.168.100.1 with default gateway 192.168.100.1 (which is the EZVPN server router)

On the other side:

My Equipment to monitor is 192.168.1.2 with default gateway 192.168.1.1 that does to belong to any interface of my EZVPN client router, it 's another router.

However my EZVPN client router has an IP in the same subnet than my equipment which is 192.168.1.10

That's why I need to translate IP of traffic from the monitoring system to router interface, otherwise I wont get any reply.

I cannot change the default route to point to gi0/0. Otherwise I can't be able to set up the VPN. I tried it in lab with GNS3 and it is working as expected.

If you have other idea regarding the requirement, feel free to propose

Thanks

esteban.r · ‎06-01-2018

Hello George,

You're right.

If I specified the default route on the Cellular0 interface, then NVI will automatically consider the cellular0 as outside NAT. When I remove the default route or any static route on this interface, then I can see the legacy NAT config in the running config. However, I cannot setup my VPN anymore with my EZVPN server

Is there any way to globally disable NVI?