cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1220
Views
120
Helpful
38
Replies
n.bokhar1
Beginner

Nat issue on loopback interface ISR4300

hello, all this is my topology:

 
 

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

 

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello,

 

below is what I have come up with. I don't know for sure if that works in your setup, but give it a try (important parts are marked in bold):

 

hostname Router

 

--> interface Loopback0
--> ip address 169.254.1.1 255.255.255.255
--> ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
--> ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
--> ip access-list extended NAT_ACL
--> deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
--> permit ip 10.1 0.0 0.0.255.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
--> route-map PBR_NAT_RM permit 10
--> set interface Loopback0

View solution in original post

n.bokhar1
Beginner

Hi Guys,

I have fixed the issue this what I did:

if you configure the PBR to send traffic to a loopback interface it won't work and this error pops up:

%Warning:Use P2P interface for routemap setinterface clause

so I have done this:

I have created a tunnel interface that both the source and the destinations is the loopback interface on the router:

 

interface Tunnel1
ip address 169.253.1.1 255.255.255.255
ip nat inside
cdp enable
tunnel source Loopback0
tunnel destination 169.254.1.1

and used this instead of a loopback interface both on PBR and on NAT

this is it.

 

I have to thank all of you who helped me to achieve this solution @MHM Cisco World @paul driver and specially @Georg Pauwen thanks, man.

 

 

View solution in original post

38 REPLIES 38
n.bokhar1
Beginner

TopologyTopology

Georg Pauwen
VIP Expert

Hello,

 

--> now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

 

It is difficult to understand your topology. 11.1.1.1 and 22.2.2.2 are loopback addresses configured on the Router. What are the IP addresses of R7, R8, and R9 ?

Hello Georg,

R7: 10.1.2.7

R8: 10.1.2.8

R9: 10.1.2.9

 

Hello,

 

thanks for the clarification, I got it.

 

I think what you need is NAT hairpinning indeed. I'll test this and send over the config...

Hello,

 

below is what I have come up with. I don't know for sure if that works in your setup, but give it a try (important parts are marked in bold):

 

hostname Router

 

--> interface Loopback0
--> ip address 169.254.1.1 255.255.255.255
--> ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
--> ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
--> ip access-list extended NAT_ACL
--> deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
--> permit ip 10.1 0.0 0.0.255.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
--> route-map PBR_NAT_RM permit 10
--> set interface Loopback0

View solution in original post

no, it didn't work and I lost my internet connection

 

After changing gigabitethernet1 ip nat to inside i got the internet
connection back but still had that issue

Hello,

 

I was afraid of that, to be honest. The traditional NAT hairpinning works for directly connected networks. 

 

Try and remove the 'ip nat outside' from your loopbacks:

 

interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside

no, it didn't work either what should I do.

Hello,

 

I'l lab this up again...will get back with you...

Hello,

 

so I recreated your topology, and the adapted config I sent earler seems to work. Below the 'debug ip policy' output when I send a ping from 10.1.2.7 to 22.2.2.:


R1#debug ip policy
*Mar 6 12:35:59.290: NAT*: s=10.1.2.7, d=22.2.2.2->10.1.2.8 [30726]
*Mar 6 12:35:59.290: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, FIB policy match
*Mar 6 12:35:59.290: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, PBR Counted
*Mar 6 12:35:59.295: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, policy match
*Mar 6 12:35:59.296: IP: route map PBR_NAT_RM, item 10, permit
*Mar 6 12:35:59.297: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8 (Loopback0), len 84, policy routed


 

Can you send your config again with the changes you have made ? And send the output of 'debug ip policy' when you try and access 22.2.2.2 from 10.1.2.7 ?

It still won't work i think the issue is when I use set interface loopback0 it returns an error:

%Warning:Use P2P interface for routemap setinterface clause

but I don't have any debug messages and when I use show route-map 

route-map PBR_NAT_RM, permit, sequence 10
Match clauses:
Set clauses:
interface Loopback0
Interface tracking current: NULL
Loopback0, adj_lh:0,oce:0,status:0

 

and nothing works.

Also I am using CSRv1000 with IOS-XE16.3.8 image

Post the running configuration with the changes I sent. I want to double check if you have missed something...