Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
6
Replies

NAT for locally generated traffic

sivam siva
Level 3
Level 3

‎06-17-2019 08:08 AM

Hi

 

I'm doing NAT in the edge router for the traffics goes to the internet, NAT is working fine but the locally generated packets are also nating  (ex: BGP packets.because of which my bgp peer is down)

If I exclude the source address of BGP packet from the access-list(called in NAT), that IP is not nating and bgp works fine.

 

but what is the proper way to prevent from nating the locally generated packets 

can anyone help?

 

Thanks in advance.

Labels:
0 Helpful
6 Replies 6

Sergey Lisitsin
VIP Alumni
VIP Alumni

‎06-17-2019 08:54 AM

Hi Sivam,

 

I guess that happens because you are sourcing your BGP session from the IP address that is also covered by your NAT access-list. Normally that wouldn't happen as your loopback IP addresses would be chosen from a separate reserved range, that is not used anywhere else, so it wouldn't match any of the LAN access lists. I guess the proper way to avoid natting your own packets would be to re-address your source loopback to a dedicated IP address that is outside of the NAT inside range.

0 Helpful

sivam siva
Level 3
Level 3
In response to Sergey Lisitsin

‎06-17-2019 11:32 AM

Hello  @Sergey Lisitsin 

Thanks for the reply

 

Please see below-attached photo, I have peered with loopback 1 which is not NAT inside interface

then how traffic originates from loopback 1 is translated?

NAT 1.PNG

 

 

0 Helpful

paul driver
VIP
VIP
In response to sivam siva

‎06-17-2019 05:13 PM - edited ‎06-17-2019 05:14 PM

Hello

you should be able to negate bgp from being natted by the same all you use for nat.

Can you post the configuration of your rtr to verify .


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

sivam siva
Level 3
Level 3
In response to paul driver

‎06-18-2019 02:44 AM

Hello @paul driver 

 

Thanks for the reply 

 

here is the config

 

R1#
R1#sh run
Building configuration...

Current configuration : 4603 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
logging console informational
logging monitor informational
!
no aaa new-model
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
ip address 90.0.0.1 255.0.0.0
duplex full
!
interface GigabitEthernet1/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet2/0
ip address 10.13.0.1 255.255.255.0
ip nat inside
ip ospf 1 area 0
negotiation auto
!
interface GigabitEthernet3/0
no ip address
negotiation auto
!
interface GigabitEthernet4/0
ip address 30.19.0.1 255.255.255.0
ip nat outside
negotiation auto
!
interface FastEthernet5/0
ip address 10.14.0.1 255.255.255.0
ip nat inside
ip ospf 1 area 0
duplex full
!
interface Serial6/0
ip address 70.17.0.1 255.255.255.0
ip nat outside
serial restart-delay 0
!
interface Serial6/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial6/7
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
!
router bgp 10
bgp router-id 1.1.1.1
bgp asnotation dot
bgp log-neighbor-changes
bgp bestpath med missing-as-worst
bgp dampening route-map DAMPENING
network 2.2.2.2 mask 255.255.255.255 backdoor
aggregate-address 200.20.0.0 255.255.0.0 as-set summary-only suppress-map SUP
aggregate-address 70.0.0.0 255.128.0.0 as-set summary-only
neighbor 3.3.3.3 remote-as 10
neighbor 3.3.3.3 update-source Loopback1
neighbor 3.3.3.3 next-hop-self
neighbor 3.3.3.3 send-community
neighbor 3.3.3.3 route-map lp out
neighbor 3.3.3.3 unsuppress-map UNSUP
neighbor 4.4.4.4 remote-as 10
neighbor 4.4.4.4 update-source Loopback1
neighbor 4.4.4.4 next-hop-self
neighbor 4.4.4.4 soft-reconfiguration inbound
neighbor 4.4.4.4 unsuppress-map UNSUP
neighbor 4.4.4.4 maximum-prefix 1 warning-only
neighbor 9.9.9.9 remote-as 30
neighbor 9.9.9.9 transport connection-mode passive
neighbor 9.9.9.9 disable-connected-check
neighbor 9.9.9.9 update-source Loopback1
neighbor 9.9.9.9 soft-reconfiguration inbound
neighbor 9.9.9.9 prefix-list EPRIZE out
neighbor 9.9.9.9 route-map WEIGHT in
neighbor 70.17.0.7 remote-as 70
neighbor 70.17.0.7 route-map INTERNETFILTER in
neighbor 70.17.0.7 route-map MED out
neighbor 90.0.0.2 remote-as 70
!
ip nat pool NAT 159.5.5.0 159.5.5.254 netmask 255.255.255.0
ip nat inside source list 1 pool NAT overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 9.9.9.9 255.255.255.255 30.19.0.9
!
ip access-list standard lp
permit 30.0.0.0 0.255.255.255
!
!
ip prefix-list 9WEIGHT seq 20 permit 0.0.0.0/0
ip prefix-list 9WEIGHT seq 21 permit 200.20.50.0/24
!
ip prefix-list DAMPENING seq 20 permit 150.50.50.0/24
!
ip prefix-list EPRIZE seq 20 permit 3.3.3.3/32
ip prefix-list EPRIZE seq 21 permit 159.5.5.0/24
!
ip prefix-list INTERNETFILTER seq 20 permit 0.0.0.0/0 le 32
!
ip prefix-list INTERNETFILTER1 seq 20 permit 8.8.8.0/24
!
ip prefix-list SUP seq 20 permit 200.20.20.8/32
ip prefix-list SUP seq 21 permit 200.20.30.8/32
ip prefix-list SUP seq 22 permit 200.20.40.8/32
!
ip prefix-list UNSUP seq 20 permit 20.20.50.0/24
logging trap debugging
access-list 1 permit any
!
route-map WEIGHT permit 20
match ip address prefix-list 9WEIGHT
set weight 10
!
route-map WEIGHT permit 100
!
route-map INTERNETFILTER deny 19
match ip address prefix-list INTERNETFILTER1
!
route-map INTERNETFILTER permit 100
!
route-map lp permit 20
match ip address lp
set local-preference 222
!
route-map lp permit 100
!
route-map MED permit 20
match ip address prefix-list EPRIZE
set metric-type internal
!
route-map UNSUP permit 20
match ip address prefix-list UNSUP
!
route-map DAMPENING permit 20
match ip address prefix-list DAMPENING
set dampening 1 100 399 2
!
route-map SUP permit 20
match ip address prefix-list SUP
!
route-tag notation dotted-decimal
!
!
control-plane
!
!
line con 0
exec-timeout 30000 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 30000 0
login
line vty 5 15
exec-timeout 30000 0
login
!
!
end

 

R1#sh ip bgp summ
BGP router identifier 1.1.1.1, local AS number 10
BGP table version is 11, main routing table version 11
8 network entries using 1152 bytes of memory
15 path entries using 1200 bytes of memory
9/8 BGP path/bestpath attribute entries using 1224 bytes of memory
2 BGP rrinfo entries using 48 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3720 total bytes of memory
Dampening enabled. 0 history paths, 0 dampened paths
BGP activity 8/0 prefixes, 15/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 10 14 5 11 0 0 00:02:42 8
4.4.4.4 4 10 12 5 11 0 0 00:02:33 6
9.9.9.9 4 30 0 0 1 0 0 never Idle
70.17.0.7 4 70 0 0 1 0 0 never Active

 

 

If you see below output ICMP traffics originate from outside interface also Nating , I'm wondering about that. 

R1#ping 9.9.9.9 source g4/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
Packet sent with a source address of 30.19.0.1
.....
Success rate is 0 percent (0/5)
R1#sh ip nat trans
R1#sh ip nat translations
Pro Inside global   Inside local   Outside local   Outside global
tcp 159.5.5.1:1037   1.1.1.1:179    9.9.9.9:40518   9.9.9.9:40518
tcp 159.5.5.1:1040   1.1.1.1:179    9.9.9.9:63835    9.9.9.9:63835
icmp 159.5.5.1:1024    30.19.0.1:0   9.9.9.9:0     9.9.9.9:1024
icmp 159.5.5.1:1025   30.19.0.1:1    9.9.9.9:1     9.9.9.9:1025

0 Helpful

Sergey Lisitsin
VIP Alumni
VIP Alumni
In response to sivam siva

‎06-18-2019 02:52 AM

Sivam,

 

Your access-list for NAT has permit any in it, that's why everything is matching. Just match on what you need in the ACL and you will be OK. For example, your NAT ACL should look like this:

 

access-list 1 permit 10.13.0.1 0.0.0.255

access-list 1 permit 10.14.0.1 0.0.0.255

 

That will do and won't cause any issues with natting anything else, that should not be natted.

0 Helpful

sivam siva
Level 3
Level 3
In response to Sergey Lisitsin

‎06-18-2019 08:53 AM

@Sergey Lisitsin 

 

Thanks for the reply.

I agree that we must write access-list only for the needful address,

for some reason I want to permit all inside IPs  to nat, assume there might be thousands of address inside the network so I configured "permit any " 

 

My doubt is the how traffic originates from a loopback interface (which is not configured NAT in/out) translated,  and traffic originates from the outside interface (int s6/0)  is Translated,

even if I generate ICMP that packet source address also translated.

0 Helpful
Customers Also Viewed These Support Documents