Local NAT for some Destinations

diego.casanova91 · ‎08-10-2022

Hi all.

I have this problem on my productive network.

I routed all my branches on my Central branch, but I need use the Local internet service for some hosts (like Akamai) so I have replied the base configuration on GNS3.

R1 Config.

interface FastEthernet0/0
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1 (Connecter to NAT1 emulating nat)
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

interface Vlan1
no ip address
!
ip forward-protocol nd
ip route 10.100.50.0 255.255.255.0 10.10.0.2 name LAN-prueba
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 10.100.50.0 0.0.0.255
no cdp log mismatch duplex
!
!
!

R2 Config

for practical test I trie to reach the host 8.8.4.4. from de local Internet service

interface FastEthernet0/0
ip address 10.10.0.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface Vlan1
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 10.10.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.0.1 name Default-salida
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT_SPLIT interface FastEthernet0/1 overload reversible
!
access-list 100 remark macheo para natear por otro lado.
access-list 100 permit ip 10.100.50.0 0.0.0.255 host 8.8.4.4
no cdp log mismatch duplex
!
route-map NAT_SPLIT permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map NO_NAT-SLIPT permit 10
match ip address 1

match interface fastethernet0/=

regrests!

MHM Cisco World · ‎08-10-2022

interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip policy route-map MHM
!
ip nat inside source route-map NAT_SPLIT interface FastEthernet0/1 overload reversible
!
access-list 100 remark macheo para natear por otro lado.
access-list 100 permit ip 10.100.50.0 0.0.0.255 host 8.8.4.4
!
route-map NAT_SPLIT permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map NO_NAT-SLIPT permit 10
match ip address 1 <<- what is this ACL
!
route-map MHM permit 10
match ip address 100
set interface FastEthernet0/1

diego.casanova91 · ‎08-10-2022

Sorry my Bad

route-map NO_NAT-SLIPT permit 10
match ip address 1 <<- what is this ACL same acl --> 100
!
route-map MHM permit 10
match ip address 100
set interface FastEthernet0/1

MHM Cisco World · ‎08-10-2022

route-map NO_NAT-SLIPT permit 10 <<<- NO NEED THIS ROUTE-MAP
match ip address 100

final confing

interface FastEthernet0/0
ip address 10.10.0.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip policy route-map MHM

interface Vlan1
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 10.10.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.0.1 name Default-salida <<- this default route for any traffic not direct toward host 8.8.4.4
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT_SPLIT interface FastEthernet0/1 overload reversible
!
access-list 100 remark macheo para natear por otro lado.
access-list 100 permit ip 10.100.50.0 0.0.0.255 host 8.8.4.4
no cdp log mismatch duplex
!
route-map NAT_SPLIT permit 10 <<- this for NATing traffic
match ip address 100
match interface FastEthernet0/1
!
route-map MHM permit 10 <<- this for forward traffic
match ip address 100
set interface FastEthernet0/1

paul driver · ‎08-10-2022

Hello
You don’t mention if you wish for resiliency incase either ISP connection fails.
So just based on your OP try to allow:

Router 1 to perform NAT for both subnets 10.100.50.0/24 & 10.10.0.0/24
Router 2 apply a single static nat statement with policy route to nat egress to its own wan interface.

Router 1
access-list 10 permit 10.100.50.0 0.0.0.255
access-list 10 permit 10.10.0.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 dhcp

Router 2
route-map PBR
match ip address 100
set interface FastEthernet0/1

interface Vlan1
ip policy route-map PBR

no ip route 0.0.0.0 0.0.0.0 10.10.0.1 name Default-salida
no ip nat inside source route-map NAT_SPLIT interface FastEthernet0/1 overload reversible
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 10.10.0.1 name Default-salida
ip nat inside source list 100 interface FastEthernet0/1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

diego.casanova91 · ‎08-11-2022

Hi paul. I matched all config but i dont have internet access when pinig 8.8.4.4 i see the match of the access list but is not nating.

R2

interface Vlan1
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map MHM
!
ip default-gateway 10.10.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 10.10.0.1 name Default-salida
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
access-list 100 remark macheo para natear por otro lado.
access-list 100 permit ip 10.100.50.0 0.0.0.255 host 8.8.4.4
no cdp log mismatch duplex
!
route-map MHM permit 10
match ip address 100
set interface FastEthernet0/1

!
route-map NAT_SPLIT p

MHM Cisco World · ‎08-11-2022

that not complete config

notice there are two PBR
route-map NAT_SPLIT permit 10 <<- this for NATing traffic
match ip address 100
match interface FastEthernet0/1
!
route-map MHM permit 10 <<- this for forward traffic
match ip address 100
set interface FastEthernet0/1

diego.casanova91 · ‎08-12-2022

HI MHM with this config y nated through the 10.10.0.1. My idea is when i have go to 8.8.8.8 go to 10.10.0.1. when i need go to 8.8.4.4 i need use the local Nat of the router. i like a doble NAT 8.8.8.8 for one way and 8.8.4.4 to the other path.

i use both route maps.

MHM Cisco World · ‎08-12-2022

Share last config all i will check and make note

diego.casanova91 · ‎08-12-2022

yes ofcurse

full config R2.

R2#sh run
Building configuration...

Current configuration : 2279 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 20
no ip icmp rate-limit unreachable
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool DHCP_10.100.50.x
network 10.100.50.0 255.255.255.0
default-router 10.100.50.1
dns-server 10.100.50.1
!
!
no ip domain lookup
ip name-server 10.10.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vlan ifdescr detail
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.0.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
ip address 10.100.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map MHM
!
ip default-gateway 10.10.0.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.0.1 name Default-salida
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT_SPLIT interface FastEthernet0/1 overload reversible
!
access-list 100 remark macheo para natear por otro lado.
access-list 100 permit ip 10.100.50.0 0.0.0.255 host 8.8.4.4
no cdp log mismatch duplex
!
route-map MHM permit 10
match ip address 100
set interface FastEthernet0/1
!
route-map NAT_SPLIT permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map NO_NAT-SLIPT permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
gateway
timer receive-rtp 1200
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

MHM Cisco World · ‎08-12-2022

Only this no need

route-map NO_NAT-SLIPT permit 10
match ip address 100
match interface FastEthernet0/0

Also the f0/1 get ip from dhcp ?

Are you sure it get ip?

Do

Show ip interface breif

To check if f0/1 get ip or not.

diego.casanova91 · ‎08-12-2022

Hi MHM

yes it having a DHCP from the Cloud.

MHM Cisco World · ‎08-12-2022

debug ip packet give me hint what issue here,
the encapsulation issue

TRY

route-map MHM permit 10
match ip address 100
NO set interface FastEthernet0/1
set ip next-hop recursive <CLOUD IP>

diego.casanova91 · ‎08-17-2022

Hi MHM. this config is better i geve you the traceroute and debug.

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 10.100.50.1 19.771 ms 9.559 ms 10.008 ms
2 10.10.0.1 19.447 ms 19.356 ms 19.327 ms
3 192.168.122.1 29.316 ms 29.684 ms 30.114 ms
4 10.10.0.1 29.495 ms 29.958 ms 29.243 ms
5 * * *
^C 6

PC1> trace 8.8.4.4 <--- is going to the cloud without goint to 10.10.10.1
trace to 8.8.4.4, 8 hops max, press Ctrl+C to stop
1 10.100.50.1 10.386 ms 9.829 ms 9.276 ms
2 192.168.122.1 19.838 ms 19.790 ms 19.799 ms
3 10.10.0.1 19.771 ms 19.791 ms 19.848 ms
4 * * *
5 * * *
6 * * *
^C 7 * *

PC1> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1 10.100.50.1 19.771 ms 9.559 ms 10.008 ms
2 10.10.0.1 19.447 ms 19.356 ms 19.327 ms
3 192.168.122.1 29.316 ms 29.684 ms 30.114 ms
4 10.10.0.1 29.495 ms 29.958 ms 29.243 ms
5 * * *
^C 6

PC1> trace 8.8.4.4
trace to 8.8.4.4, 8 hops max, press Ctrl+C to stop
1 10.100.50.1 10.386 ms 9.829 ms 9.276 ms
2 192.168.122.1 19.838 ms 19.790 ms 19.799 ms
3 10.10.0.1 19.771 ms 19.791 ms 19.848 ms
4 * * *
5 * * *
6 * * *

Debug ip Packet

*Mar 1 00:15:24.275: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:24.275: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
*Mar 1 00:15:24.279: ICMP type=11, code=0
*Mar 1 00:15:24.295: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:24.295: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
*Mar 1 00:15:24.295: ICMP type=11, code=0
*Mar 1 00:15:24.303: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:24.303: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
R2#
*Mar 1 00:15:24.303: ICMP type=11, code=0
R2#
*Mar 1 00:15:29.675: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.675: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
*Mar 1 00:15:29.675: ICMP type=11, code=0
*Mar 1 00:15:29.687: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.687: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
*Mar 1 00:15:29.687: ICMP type=11, code=0
*Mar 1 00:15:29.699: IP: tableid=0, s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.699: IP: s=10.100.50.1 (local), d=10.100.50.2 (Vlan1), len 56, sending
*Mar 1 00:15:29.699: ICMP type=11, code=0
*Mar 1 00:15:29.719: IP: tableid=0, s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.719: IP: s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 120, forward
*Mar 1 00:15:29.719: ICMP type=11, code=0
*Mar 1 00:15:29.735: IP: tableid=0, s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.735: IP: s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 120, forward
*Mar 1 00:15:29.739: ICMP type=11, code=0
*Mar 1 00:15:29.755: IP: tableid=0, s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.759: IP: s=192.168.122.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 120, forward
*Mar 1 00:15:29.759: ICMP type=11, code=0
*Mar 1 00:15:29.779: IP: tableid=0, s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.779: IP: s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 56, forward
*Mar 1 00:15:29.779: ICMP type=11, code=0
*Mar 1 00:15:29.799: IP: tableid=0, s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.799: IP: s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 56, forward
*Mar 1 00:15:29.799: ICMP type=11, code=0
*Mar 1 00:15:29.819: IP: tableid=0, s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), routed via FIB
*Mar 1 00:15:29.819: IP: s=10.10.0.1 (FastEthernet0/1), d=10.100.50.2 (Vlan1), g=10.100.50.2, len 56, forward
*Mar 1 00:15:29.819: ICMP type=11, code=0
R2#

MHM Cisco World · ‎08-17-2022

Yes I see there is no more encapsulation error anymore, and the debug is OK BUT
still 10.10.0.1 appear, are both cloud interconnect ?