cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4072
Views
120
Helpful
38
Replies

Nat issue on loopback interface ISR4300

n.bokhar1
Level 1
Level 1

hello, all this is my topology:

 
 

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

 

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

 

38 Replies 38

!

 

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside

!

 

interface Loopback1
ip address 11.1.1.1 255.255.255.255
ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!

!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
ip access-list extended NAT_HAIRPIN_ACL

 

permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
!
!
route-map PBR_NAT_RM permit 10
set interface Loopback0
!

Hello,

 

make the changes marked in bold. Also, how are you testing this ? The hairpinning works only for TCP port 23 (telnet), so are you telnetting to test ?

 

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
route-map PBR_NAT_RM permit 10
set interface Loopback0

Hello,

 

this is not an error, just a warning. So with 'debug ip policy' and telnetting to the translated address, there is no debug output at all ?

yep that is correct

 

hello,

 

could you find a solution to this problem.

...

ip nat enable doesn't work on IOS-XE devices

OK, 
default route toward SW ?
what is the next-hop you use in virtual router ? is it SVI of SW?

this is the path:

 

R7---DefaluGW--> SW SVI VLAN 10 ---Static Route to router Gi1---> Router ---Static Route to INTERNET GI1--->INTERNET

 

R7 have a routing capability ?
if yes then it will not full use the DGW.
no ip routing in R7 will solve the issue of interconnect between the virtual router.

NOTE:- ip routing must be config in SW. 

it is enabled on the SW but even if I use virtual machines instead of routers on R7 it still won't work

 

...

...

The NAT is setup on the router
the switch is there to provide basic connectivity

..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: