Solved: NAT and Cisco 6506-E VSS

YOZ · ‎12-06-2016

Hello.

We have 2 Cisco 6506-E paired in VSS with VS-SUP2T-10G Supervisor Engines and IOS s2t54-ipservicesk9-mz.SPA.151-1.SY1. The main question - does it support NAT? I tried to config it several times and debug NAT, but no logs appeared at all. As I've heard such platform doesn't support NAT, but can't find proof link for this.

I'd be very thankful if this question will be answered.

Amit Goyal · ‎12-15-2016

Hi Timur,

In a NAT environment when an IP packet hits inside interface, it goes to routing engine first and then it goes to NAT engine. So there should be a valid route for the destination pointing to correct exit. Just reverse of this happens when packet hits on an outside interface.

I believe you can use any dummy subnet (in your case I think it is a.a.a.a) but network y.y.y.y should have a route pointing back towards your 6500 box (playing NAT role).

If my understanding is not correct about your network topology, prepare one for me please and I can try building the same in my LAB and give you the right config.

Please rate if it helped.

HTH

-Amit

View solution in original post

Amit Goyal · ‎12-08-2016

Hi Timur,

As per feature navigator it should support NAT on IOS s2t54-ipservicesk9-mz.SPA.151-1.SY1.

I have attached a screen shot from Cisco Feature Navigator for your reference.

HTH

-Amit

YOZ · ‎12-11-2016

Hi. Yes, the description of IOS tells that NAT should work, but actually it doesn't. I don't think that there is an error in configuration, because i've implemented NAT on other Cisco devices several times and everything is working fine

Amit Goyal · ‎12-11-2016

Hi, It would be worth to do more troubleshooting if you think NAT configuration is correct.

YOZ · ‎12-13-2016

Here is a test NAT config. There are no NAT translation when I ping vlan88 to any destination

interface Vlan88
ip address 10.8.8.1 255.255.255.0
ip nat inside

interface Vlan33
ip address 10.3.3.1 255.255.255.0
ip nat outside

access-list 101 permit ip 10.8.8.0 0.0.0.255 any

ip nat pool TEST 10.3.3.2 10.3.3.254 prefix-length 24

ip nat inside source list 101 pool TEST

Amit Goyal · ‎12-14-2016

Hi Timur,

Thanks for the configuration.

It looks to me fine except below.

ip nat pool TEST 10.3.3.2 10.3.3.254 prefix-length 24

You must exclude ip address of other end connected to interface Vlan 33. I hope other end ip is not 10.3.3.2.

What do you see with "show ip nat translation" on your device once you initiate ping?

HTH

-Amit

YOZ · ‎12-14-2016

Hi Amit,

Actually there wasn't other end of vlan 33. I used to ping any destination due to acl and the route to destination wasn't passed through vlan33 interface. In such conditions NAT doesn't work.

Then I've changed the scheme and added new router with vlan33 ip 10.3.3.2 and created loopback ip 10.4.4.4 with route to host 10.4.4.4 through 10.3.3.2. And it works.

So my conclusion is that the gateway for routing should be in the same subnet with NAT Pool.

But there is another task for production implementation.

There is local network x.x.x.x. Users from it should access network y.y.y.y through z.z.z.z gateway and be NAT-ed to a.a.a.a addresses. Have I any chance to use NAT without additional router in that case?

Amit Goyal · ‎12-15-2016

Hi Timur,

In a NAT environment when an IP packet hits inside interface, it goes to routing engine first and then it goes to NAT engine. So there should be a valid route for the destination pointing to correct exit. Just reverse of this happens when packet hits on an outside interface.

I believe you can use any dummy subnet (in your case I think it is a.a.a.a) but network y.y.y.y should have a route pointing back towards your 6500 box (playing NAT role).

If my understanding is not correct about your network topology, prepare one for me please and I can try building the same in my LAB and give you the right config.

Please rate if it helped.

HTH

-Amit

YOZ · ‎12-15-2016

Here is small drawing of my topology. I'll try to make some changes in config/ Hope it'll work

Amit Goyal · ‎12-16-2016

Hi Timur,

Yes, it is possible as advised in my last email. Use below NAT pool.

ip nat pool TEST a.a.a.1 a.a.a.254 prefix-length 24

You must have a route on y.y.y.y to reach a.a.a.a pointing towards VSS.

please rate if it helped.

HTH

-Amit

YOZ · ‎12-19-2016

This scenario is working! Adresses are translated!