Solved: Nat issue on loopback interface ISR4300 - Page 2

n.bokhar1 · ‎03-06-2021

hello, all this is my topology:

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

n.bokhar1 · ‎03-06-2021

!

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside

!

interface Loopback1
ip address 11.1.1.1 255.255.255.255
ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!

!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
ip access-list extended NAT_HAIRPIN_ACL

permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
!
!
route-map PBR_NAT_RM permit 10
set interface Loopback0
!

Georg Pauwen · ‎03-06-2021

Hello,

make the changes marked in bold. Also, how are you testing this ? The hairpinning works only for TCP port 23 (telnet), so are you telnetting to test ?

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
route-map PBR_NAT_RM permit 10
set interface Loopback0

Georg Pauwen · ‎03-06-2021

Hello,

this is not an error, just a warning. So with 'debug ip policy' and telnetting to the translated address, there is no debug output at all ?

n.bokhar1 · ‎03-07-2021

yep that is correct

n.bokhar1 · ‎03-09-2021

hello,

could you find a solution to this problem.

MHM Cisco World · ‎03-06-2021

...

n.bokhar1 · ‎03-06-2021

ip nat enable doesn't work on IOS-XE devices

MHM Cisco World · ‎03-06-2021

OK,
default route toward SW ?
what is the next-hop you use in virtual router ? is it SVI of SW?

n.bokhar1 · ‎03-06-2021

this is the path:

R7---DefaluGW--> SW SVI VLAN 10 ---Static Route to router Gi1---> Router ---Static Route to INTERNET GI1--->INTERNET

MHM Cisco World · ‎03-06-2021

R7 have a routing capability ?
if yes then it will not full use the DGW.
no ip routing in R7 will solve the issue of interconnect between the virtual router.

NOTE:- ip routing must be config in SW.

n.bokhar1 · ‎03-06-2021

it is enabled on the SW but even if I use virtual machines instead of routers on R7 it still won't work

MHM Cisco World · ‎03-06-2021

...

MHM Cisco World · ‎03-06-2021

...

n.bokhar1 · ‎03-06-2021

The NAT is setup on the router
the switch is there to provide basic connectivity

MHM Cisco World · ‎03-06-2021

..