Solved: Multiple nat statements ISRG2

switched switch · ‎04-12-2017

Hi All,

I have a single 2921 that will be doing multiple customer NATs. Approximately 30 customers, mapping a /24 prefix to a /32 public IP on a router.

Can I assume that I will need a separate route-map per customer, and the /32 public IP address should be configured as the loopback?

Ie I will have 30 loopback addresses, and 30 route-maps?

Approx traffic is around 70 mbps across the 30 customers. It looks like the ISRG2 should be able to support this amount of services according to IMIX traffic but not having tested, I cant be sure.

Is the above recommended or is there a better way to handle this?

Richard Burts · ‎04-12-2017

What you are describing so far is a dynamic address translation where each customer will have a unique /24 network and it will be translated to a public IP that is used only for that customer. This should work well for traffic initiated by the customer going to the Internet and for any response traffic from the Internet to the customer. It would not work for traffic initiated from the Internet going to the customer and so it is good that Internet traffic to customer is not a requirement.

We sometimes think of doing address translation by doing overload using the interface address. I believe that is what you are thinking about when you suggest assigning your public addresses to loopback interfaces. But that kind of configuration is intended to be used when the interface involved is the outgoing interface. But your loopback interfaces would not be the outgoing interface. I believe that you should use the approach of defining 30 address pools (with a single IP in each pool) and using translation with overload using the address pools. You can find an example of using an address pool with overload in this link

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html#GUID-B8A2254C-2E6B-4035-819C-F87144FCAD1B

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎04-12-2017

Can you provide some additional information about your environment and what you plan to do? So you have a block of at least 30 public IP addresses that you will use for address translation? Are these addresses in the subnet that you use to connect from your router outbound? Or are they in a separate subnet? And perhaps I should also ask if the 30 addresses are in a block or are they in multiple address blocks?

So you have a single interface for outbound traffic to Internet or do you have more than one interface for outbound traffic?

Is it correct that you have 30 customers downstream and they go through you to get to the Internet and you will do address translation to allow them Internet access? Is there any requirement that Internet devices should be able to initiate traffic to any of these customers?

HTH

Rick

HTH

Rick

switched switch · ‎04-12-2017

Hi Rick,

Customers transit through us to get to the internet. They will essentially route through two interfaces (ie an inside interface and external interface) on the same router where we can apply the inside/outside at statements. We have blocks of public ips so will have essentially have a /24 private which is unique per customer and we can possibly put up 1 loopbsck per customer for Nat. At this stage, no inbound accesss required by public ip, we will just have a customer on a /24 private that we will map to a /32 public ip. There may be an option where we need to open up a port forward as well but so I should consider this. Quite straight forward but being that there may be 30 different translations mapping, do you think loopbsck nat is most efficient for IP address preservation and ease of configuration or am I doing it wrong?

Richard Burts · ‎04-12-2017

What you are describing so far is a dynamic address translation where each customer will have a unique /24 network and it will be translated to a public IP that is used only for that customer. This should work well for traffic initiated by the customer going to the Internet and for any response traffic from the Internet to the customer. It would not work for traffic initiated from the Internet going to the customer and so it is good that Internet traffic to customer is not a requirement.

We sometimes think of doing address translation by doing overload using the interface address. I believe that is what you are thinking about when you suggest assigning your public addresses to loopback interfaces. But that kind of configuration is intended to be used when the interface involved is the outgoing interface. But your loopback interfaces would not be the outgoing interface. I believe that you should use the approach of defining 30 address pools (with a single IP in each pool) and using translation with overload using the address pools. You can find an example of using an address pool with overload in this link

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html#GUID-B8A2254C-2E6B-4035-819C-F87144FCAD1B

HTH

Rick

HTH

Rick

switched switch · ‎04-12-2017

Hi Rick,

thanks for the reply. You don't think there is any issue with having 30 Nat pools on the router with a single address, and also 30 Nat statements will cause scalability issues?

If we were ok to proceed, and we're in operations and say a single customer wanted to open up a server behind their Nat so their public ip:443 to a single 192.168.1.1:443 can we open a single static Nat for this to port forward the traffic without it impacting any other customer?

Richard Burts · ‎04-13-2017

You are welcome. I believe that from the perspective of syntax and operational state that it is not a problem to have multiple address pools and multiple NAT statements. And doing a port forward for some customers should be possible as well. As far as scalability is concerned I am not prepared to say whether a 2921 is able to handle 30 address pools and at least 30 NAT statements.

HTH

Rick

HTH

Rick

switched switch · ‎04-13-2017

Thank you Richard for taking the time to reply. Its

mich appreciated.

Richard Burts · ‎04-13-2017

You are welcome. I am glad that my responses have been helpful. I wish that I had more of an answer to the scalability issue, but I do not have that information. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick

HTH

Rick