Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6569
Views
120
Helpful
38
Replies

Nat issue on loopback interface ISR4300

Go to solution
n.bokhar1
Level 1
Level 1

‎03-06-2021 12:12 AM - edited ‎03-06-2021 12:16 AM

hello, all this is my topology:

 
 

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

 

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎03-06-2021 02:03 AM

Hello,

 

below is what I have come up with. I don't know for sure if that works in your setup, but give it a try (important parts are marked in bold):

 

hostname Router

 

--> interface Loopback0
--> ip address 169.254.1.1 255.255.255.255
--> ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
--> ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
--> ip access-list extended NAT_ACL
--> deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
--> permit ip 10.1 0.0 0.0.255.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
--> route-map PBR_NAT_RM permit 10
--> set interface Loopback0

View solution in original post

Go to solution
n.bokhar1
Level 1
Level 1

‎03-09-2021 05:08 AM

Hi Guys,

I have fixed the issue this what I did:

if you configure the PBR to send traffic to a loopback interface it won't work and this error pops up:

%Warning:Use P2P interface for routemap setinterface clause

so I have done this:

I have created a tunnel interface that both the source and the destinations is the loopback interface on the router:

 

interface Tunnel1
ip address 169.253.1.1 255.255.255.255
ip nat inside
cdp enable
tunnel source Loopback0
tunnel destination 169.254.1.1

and used this instead of a loopback interface both on PBR and on NAT

this is it.

 

I have to thank all of you who helped me to achieve this solution @MHM Cisco World @paul driver and specially @Georg Pauwen thanks, man.

 

 

View solution in original post

38 Replies 38

Go to solution
n.bokhar1
Level 1
Level 1

‎03-06-2021 12:14 AM

TopologyTopology

Go to solution
Georg Pauwen
VIP
VIP

‎03-06-2021 12:20 AM

Hello,

 

--> now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

 

It is difficult to understand your topology. 11.1.1.1 and 22.2.2.2 are loopback addresses configured on the Router. What are the IP addresses of R7, R8, and R9 ?

Go to solution
n.bokhar1
Level 1
Level 1
In response to Georg Pauwen

‎03-06-2021 12:28 AM

Hello Georg,

R7: 10.1.2.7

R8: 10.1.2.8

R9: 10.1.2.9

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to n.bokhar1

‎03-06-2021 01:31 AM

Hello,

 

thanks for the clarification, I got it.

 

I think what you need is NAT hairpinning indeed. I'll test this and send over the config...

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎03-06-2021 02:03 AM

Hello,

 

below is what I have come up with. I don't know for sure if that works in your setup, but give it a try (important parts are marked in bold):

 

hostname Router

 

--> interface Loopback0
--> ip address 169.254.1.1 255.255.255.255
--> ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
--> ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
--> ip access-list extended NAT_ACL
--> deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
--> permit ip 10.1 0.0 0.0.255.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
--> permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
--> route-map PBR_NAT_RM permit 10
--> set interface Loopback0

Go to solution
n.bokhar1
Level 1
Level 1
In response to Georg Pauwen

‎03-06-2021 02:38 AM

no, it didn't work and I lost my internet connection

 

0 Helpful

Go to solution
n.bokhar1
Level 1
Level 1
In response to n.bokhar1

‎03-06-2021 02:50 AM

After changing gigabitethernet1 ip nat to inside i got the internet
connection back but still had that issue

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to n.bokhar1

‎03-06-2021 02:59 AM

Hello,

 

I was afraid of that, to be honest. The traditional NAT hairpinning works for directly connected networks. 

 

Try and remove the 'ip nat outside' from your loopbacks:

 

interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside

Go to solution
n.bokhar1
Level 1
Level 1
In response to Georg Pauwen

‎03-06-2021 03:05 AM - edited ‎03-06-2021 03:05 AM

no, it didn't work either what should I do.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to n.bokhar1

‎03-06-2021 03:50 AM

Hello,

 

I'l lab this up again...will get back with you...

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎03-06-2021 04:41 AM

Hello,

 

so I recreated your topology, and the adapted config I sent earler seems to work. Below the 'debug ip policy' output when I send a ping from 10.1.2.7 to 22.2.2.:


R1#debug ip policy
*Mar 6 12:35:59.290: NAT*: s=10.1.2.7, d=22.2.2.2->10.1.2.8 [30726]
*Mar 6 12:35:59.290: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, FIB policy match
*Mar 6 12:35:59.290: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, PBR Counted
*Mar 6 12:35:59.295: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8, len 84, policy match
*Mar 6 12:35:59.296: IP: route map PBR_NAT_RM, item 10, permit
*Mar 6 12:35:59.297: IP: s=10.1.2.7 (GigabitEthernet0/1), d=10.1.2.8 (Loopback0), len 84, policy routed


 

Can you send your config again with the changes you have made ? And send the output of 'debug ip policy' when you try and access 22.2.2.2 from 10.1.2.7 ?

Go to solution
n.bokhar1
Level 1
Level 1
In response to Georg Pauwen

‎03-06-2021 05:43 AM

It still won't work i think the issue is when I use set interface loopback0 it returns an error:

%Warning:Use P2P interface for routemap setinterface clause

but I don't have any debug messages and when I use show route-map 

route-map PBR_NAT_RM, permit, sequence 10
Match clauses:
Set clauses:
interface Loopback0
Interface tracking current: NULL
Loopback0, adj_lh:0,oce:0,status:0

 

and nothing works.

0 Helpful

Go to solution
n.bokhar1
Level 1
Level 1
In response to n.bokhar1

‎03-06-2021 05:44 AM

Also I am using CSRv1000 with IOS-XE16.3.8 image

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to n.bokhar1

‎03-06-2021 06:19 AM

Post the running configuration with the changes I sent. I want to double check if you have missed something...

Customers Also Viewed These Support Documents