Match ACL with NAT IP

ahmad82pkn · ‎05-05-2017

Hi,

I have 3 Spoke CSR connected to central hub CSR Router over VTI Tunnel VPN/BGP.

Spoke 1 and Spoke 2 has overlapping subnets 10.55.x.x/16

Spoke 3 is head office on 10.60.x.x/16

Hub CSR is 10.99.x.x/16 , so hub is sitting in middle of 3 Spoke.

All 3 Spoke are in their own VRF and route leaking done among them.

I am natting Spoke 1 10.55.x.x in to 1.1.1.x when reaching Spoke 3

and

I am natting Spoke 2 10.55.x.x in to 2.2.2.x when reaching Spoke 3

Traffic reach Spoke 3 fine but when response come back from Spoke 3 to hub CSR, hub CSR confuses if he need to send traffic to Spoke 1 or Spoke 2 due to over lapping 10.55.x.x subnet.

So i applied route-map on Head office tunnel.

int tunnel 3

description HeadOffice Tunnel

ip nat outside

ip policy route-map HeadOffice

ip access-list extended Spoke1

permit ip any 1.1.1.0 0.0.0.255

ip access-list extended Spoke2

permit ip any 2.2.2.0 0.0.0.255

Route-map permit HeadOffice permit 10

match ip address Spoke 1

set vrf Spoke1VRF

Route-map permit HeadOffice permit 10

match ip address Spoke 2

set vrf Spoke2VRF

But ACL doesnt match. when traffic come back from Spoke 3 to CSR.

How to match ACL on Pre DNAT IP ?

paul driver · ‎05-06-2017

Hello

Do you really require /16 for these 3 sites, Would it be possible to split the ip range into smaller ip blocks to avoid the overlapping?

Even a /18 would give you 4 subnets and 16K+ host per subnet?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ahmad82pkn · ‎05-06-2017

Hi Paul,

I wish I could do that, Each spoke is in ownership of separate customer with production environment. above was just example, and I have 100 + Spoke that I need to connect with HUB and then route them to common data center Spoke 3, I wish Cisco had option to some how with route map traffic returning from Spoke 3 send to appropriate Spoke1/Spoke2 VRF , but looks like I am stuck.

Alternate option is to run a CSR in each spoke and do NAT in each spoke as a.alekseev suggested, but I know most customers wont agree to that due to their own reasoning, so wanted to do something natively.

a.alekseev · ‎05-06-2017

HUB#sh run
Building configuration...

Current configuration : 3460 bytes
!
! Last configuration change at 21:31:05 UTC Sat May 6 2017
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
vrf definition SPOKE_1
 rd 1:1
 !
 address-family ipv4
  route-target export 1:1
  route-target import 1:1
  route-target import 3:3
 exit-address-family
!
vrf definition SPOKE_2
 rd 2:2
 !
 address-family ipv4
  route-target export 2:2
  route-target import 2:2
  route-target import 3:3
 exit-address-family
!
vrf definition SPOKE_3
 rd 3:3
 !
 address-family ipv4
  import map SPOKE_3_import
  route-target export 3:3
  route-target import 1:1
  route-target import 2:2
 exit-address-family
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.255.255.1 255.255.255.255
!
interface FastEthernet0/0
 description ## SPOKE 1 ##
 vrf forwarding SPOKE_1
 ip address 10.0.0.0 255.255.255.254
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ## SPOKE_2 ##
 vrf forwarding SPOKE_2
 ip address 10.0.0.2 255.255.255.254
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet1/0
 description ## SPOKE_3 ##
 vrf forwarding SPOKE_3
 ip address 10.0.0.4 255.255.255.254
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65000
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf SPOKE_1
  redistribute connected
  redistribute static route-map STATIC2BGP
  neighbor 10.0.0.1 remote-as 1
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.1 route-map SPOKE_OUT out
 exit-address-family
 !
 address-family ipv4 vrf SPOKE_2
  redistribute connected
  redistribute static route-map STATIC2BGP
  neighbor 10.0.0.3 remote-as 2
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 route-map SPOKE_OUT out
 exit-address-family
 !
 address-family ipv4 vrf SPOKE_3
  redistribute connected
  neighbor 10.0.0.5 remote-as 3
  neighbor 10.0.0.5 activate
 exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip bgp-community new-format
ip community-list standard NAT permit 255:255
!
ip nat inside source static network 10.55.0.0 1.1.1.0 /24 vrf SPOKE_1
ip nat inside source static network 10.55.0.0 2.2.2.0 /24 vrf SPOKE_2
ip route vrf SPOKE_1 1.1.1.0 255.255.255.0 10.0.0.1 tag 999
ip route vrf SPOKE_2 2.2.2.0 255.255.255.0 10.0.0.3 tag 999
!
no cdp log mismatch duplex
!
route-map SPOKE_OUT deny 10
 match community NAT
!
route-map SPOKE_OUT permit 20
!
route-map SPOKE_3_import permit 10
 match community NAT
!
route-map STATIC2BGP permit 10
 match tag 999
 set community 255:255
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

HUB#sh ip route vrf SPOKE_3

Routing Table: SPOKE_3
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
B        1.1.1.0 [20/0] via 10.0.0.1 (SPOKE_1), 00:14:12
      2.0.0.0/24 is subnetted, 1 subnets
B        2.2.2.0 [20/0] via 10.0.0.3 (SPOKE_2), 00:13:52
      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C        10.0.0.4/31 is directly connected, FastEthernet1/0
L        10.0.0.4/32 is directly connected, FastEthernet1/0
B        10.10.0.0/24 [20/0] via 10.0.0.5, 00:32:07
HUB#sh ip route vrf SPOKE_2

Routing Table: SPOKE_2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
S        2.2.2.0 [1/0] via 10.0.0.3
      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.0.0.2/31 is directly connected, FastEthernet0/1
L        10.0.0.2/32 is directly connected, FastEthernet0/1
B        10.0.0.4/31
           is directly connected (SPOKE_3), 01:38:30, FastEthernet1/0
L        10.0.0.4/32 is directly connected, FastEthernet1/0
B        10.10.0.0/24 [20/0] via 10.0.0.5 (SPOKE_3), 00:32:14
B        10.55.0.0/24 [20/0] via 10.0.0.3, 00:39:36
HUB#sh ip route vrf SPOKE_1

Routing Table: SPOKE_1
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
S        1.1.1.0 [1/0] via 10.0.0.1
      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.0.0.0/31 is directly connected, FastEthernet0/0
L        10.0.0.0/32 is directly connected, FastEthernet0/0
B        10.0.0.4/31
           is directly connected (SPOKE_3), 01:38:33, FastEthernet1/0
L        10.0.0.4/32 is directly connected, FastEthernet1/0
B        10.10.0.0/24 [20/0] via 10.0.0.5 (SPOKE_3), 00:32:17
B        10.55.0.0/24 [20/0] via 10.0.0.1, 00:46:03


SPOKE_1
R1#             sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.0.0.0/31 is directly connected, FastEthernet0/0
L        10.0.0.1/32 is directly connected, FastEthernet0/0
B        10.0.0.4/31 [20/0] via 10.0.0.0, 00:27:32
B        10.10.0.0/24 [20/0] via 10.0.0.0, 00:27:32
C        10.55.0.0/24 is directly connected, FastEthernet0/1
L        10.55.0.1/32 is directly connected, FastEthernet0/1

SPOKE_2
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C        10.0.0.2/31 is directly connected, FastEthernet0/0
L        10.0.0.3/32 is directly connected, FastEthernet0/0
B        10.0.0.4/31 [20/0] via 10.0.0.2, 00:28:31
B        10.10.0.0/24 [20/0] via 10.0.0.2, 00:28:31
C        10.55.0.0/24 is directly connected, FastEthernet0/1
L        10.55.0.1/32 is directly connected, FastEthernet0/1

SPOKE_3
R3#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
B        1.1.1.0 [20/0] via 10.0.0.4, 00:38:00
      2.0.0.0/24 is subnetted, 1 subnets
B        2.2.2.0 [20/0] via 10.0.0.4, 00:37:40
      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C        10.0.0.4/31 is directly connected, FastEthernet0/0
L        10.0.0.5/32 is directly connected, FastEthernet0/0
C        10.10.0.0/24 is directly connected, FastEthernet0/1
L        10.10.0.1/32 is directly connected, FastEthernet0/1

ahmad82pkn · ‎05-08-2017

Wow, Thats complex :) a.alekseev

Will test it out.

I was also able to make it work yesterday, here is my full config.

ip vrf vpn-5fba7268##### Spoke 1 VRF
rd 64512:1
import map deny55
route-target export 64512:0
route-target import 64512:0
!
ip vrf vpn-c8017183 #### Spoke 2 VRF
rd 64512:13
import map deny55
route-target export 64512:0
route-target import 64512:0
!
ip vrf vpn-d8bacb93 #### Spoke 3 VRF
rd 64512:3
route-target export 64512:0
route-target import 64512:0
!

ip vrf vpn0
rd 64512:0

interface Tunnel1 #####( Spoke 1 )
ip vrf forwarding vpn-5fba7268
ip address 169.254.59.166 255.255.255.252
ip nat inside

interface Tunnel13#####(Spoke 2)
ip vrf forwarding vpn-c8017183
ip address 169.254.22.70 255.255.255.252
ip nat inside

interface Tunnel3####(Spoke 3)
ip vrf forwarding vpn-d8bacb93
ip address 169.254.20.110 255.255.255.252
ip nat outside

router bgp 64512
bgp log-neighbor-changes

address-family ipv4 vrf vpn-d8bacb93 ### Spoke 3
network 1.1.1.0 mask 255.255.255.0
network 2.2.2.0 mask 255.255.255.0

neighbor 169.254.20.109 remote-as 9059
neighbor 169.254.20.109 timers 10 30 30
neighbor 169.254.20.109 activate
neighbor 169.254.20.109 as-override
neighbor 169.254.20.109 soft-reconfiguration inbound

address-family ipv4 vrf vpn-5fba7268 ##### Spoke 1

neighbor 169.254.59.165 remote-as 7224
neighbor 169.254.59.165 timers 10 30 30
neighbor 169.254.59.165 activate
neighbor 169.254.59.165 as-override

address-family ipv4 vrf vpn-c8017183 ##### Spoke2
neighbor 169.254.22.69 remote-as 9059
neighbor 169.254.22.69 timers 10 30 30
neighbor 169.254.22.69 activate
neighbor 169.254.22.69 as-override

ip nat inside source static network 10.55.0.0 1.1.1.0 /24 vrf vpn-5fba7268
ip nat inside source static network 10.55.0.0 2.2.2.0 /24 vrf vpn-c8017183

ip route vrf vpn-d8bacb93 1.1.1.0 255.255.255.0 100.64.127.225 global
ip route vrf vpn-d8bacb93 2.2.2.0 255.255.255.0 100.64.127.225 global

access-list 55 permit 10.55.0.0 0.0.255.255

route-map deny55 permit 10
match ip address deny55

Only thing which was confusing for me, when traffic come back from remote end of Spoke3 and enter CSR how it will decide it need to go to Spoke1 or Spoke 2, but looks like its getting DNAT first and going to right Spoke1|Spoke2 VRF itself, ( Instead of checking Spoke3 VRF BGP Table which is learning same subnet from both spoke1 and spoke 2 neighbors and selecting one of them as best always.). but apparently on return traffic CSR is not even looking at VRF BGP Route table.

Then on each Spoke1/Spoke 2 VRF i had to block overlapping subnet leaking so that traffic go out to Spoke1 and Spoke 2 VPN Tunnel and it worked like a charm :)

a.alekseev · ‎05-08-2017

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

ahmad82pkn · ‎05-08-2017

thanx :) NAT Order make sense now . Happy hour...

ahmad82pkn · ‎05-10-2017

Hi a.alekseev ,

Need assistance :)

Working on a variation where both Spoke1 and Spoke 2 also need to communicate.

Since NAT inside and outside cant be applied at same time, so trying NAT on stick, but no luck so far.

Ping 2.2.2.99(Spoke2 NAT IP ) from 10.55.0.201(Spoke1) doesnt work.

Additional config done for ping to work from Spoke 1 to Spoke 2.

ip access-list ext 100

permit ip 10.55.0.0 0.0.0.255 2.2.2.0 0.0.0.255

route-map vpn-5fba7268-map

match ip address 100

set ip next-hop 1.1.1.2 ( also tried set interface loop1 and set ip next-hop 1.1.1.1)

int loop1

ip address 1.1.1.1 255.255.255.252

ip nat outside

ip vrf forwarding vpn-c8017183 ### VRF of Spoke 2

interface Tunnel1 #####( Spoke 1 )
ip vrf forwarding vpn-5fba7268
ip address 169.254.59.166 255.255.255.252
ip nat inside

ip policy route-map vpn-5fba7268-map

But NAT is not triggering. scratching my head.

Any pointers will be appreciated .

(Also have advertised NAT ranges towards Spoke1 and 2)

a.alekseev · ‎05-11-2017

!
int lo100
 ip address 192.168.0.0 255.255.255.255
!
int lo200
 ip address 192.168.0.1 255.255.255.255
!
interface Tunnel100
 ip vrf forwarding vpn-5fba7268
 ip address 192.168.0.2 255.255.255.254
 ip nat outside
 tunnel source lo100
 tunnel destination 192.168.0.1
!
interface Tunnel200
 ip vrf forwarding vpn-c8017183
 ip address 192.168.0.3 255.255.255.254
 ip nat outside
 tunnel source lo200
 tunnel destination 192.168.0.0
!

ahmad82pkn · ‎05-12-2017

Dont tell me, You are awesome man. Do you write any blogs as well? If so please share link, i would love to follow your posts.

Also how can i read more about above approach ? i tried to google but can't find exactly what you did above. I want to read its theory.

paul driver · ‎05-06-2017

Hello

Seem the PBR of this traffic isn't working accordingly- Can you post a simple Topology diagram please it would provide the forum with a better understanding and maybe the config of the hub rtr

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ahmad82pkn · ‎05-08-2017

Hi Paul,

This was topology, So spoke 3 you can consider as Corporate Data center, and rest of Spokes as customers. and Spoke 3 is hosting shared services for all spoke 1,2,3.

Problem was all Spokes had (possible) overlapping subnets.

https://aws.amazon.com/blogs/aws/aws-solution-transit-vpc/

Looks like we are golden now :)

a.alekseev · ‎05-06-2017

Do NAT on spokes (R1, R2)

And think about redesigning your network.

ahmad82pkn · ‎05-06-2017

Hi a.alekseev ,

Thank you for your kind response. Actually Spoke 1 and Spoke 2 are AWS VGW base VPN, that doesnt have NAT capability. so this is the limitation.