Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
2
Helpful
5
Replies

NAT issues going from Inside Global to Outside Global

ifritch.fritchy1
Level 1
Level 1

‎03-30-2023 11:48 AM

Hey everyone,

I'm attempting to NAT an inside global address to an outside global address over two subinterfaces on a Cisco ASR-1000x.  Currently, we are using an inside global hrsp address to hit our cisco edge routers so perhaps the single MAC over multiple inside globals is causing an issue, I'm not sure.  Anyways, these are the two config variations I've attempted:

office-rtr-edge-01#

conf t
ip nat inside source static [inside global] [outside global]
interface po3.999
ip nat inside

interface po3.997
ip nat outside

This is the show ip nat statistics:

office-rtr-edge-01#show ip nat stat
Total active translations: 1 (1 static, 0 dynamic; 1 extended)
Outside interfaces:
Port-channel3.997
Inside interfaces:
Port-channel3.999
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0'
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
Outside global interfaces count: 1

This is the second variant I attempted:

office-rtr-edge-01#

conf t

ip nat inside source static [inside global] [outside global]

int po3.997
ip nat outside
int po3.999
ip nat inside
ip access-list standard 1
10 permit [inside global]
ip nat inside source list 1 interface Port-channel3.999 overload

We also attempted without the overload command however that produced an input error.

This is the show output for attempt at ACL NAT
office-rtr-edge-01#show ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Port-channel3.997
Inside interfaces:
Port-channel3.999
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Port-channel3.999 refcount 0
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
Outside global interfaces count: 1

Anyone have any ideas we can attempt?  The main issue here is, the inside global for some reason isn't matching on the nat logic of our ASR-1000x.  We even went so far as to try a protocol/port specific static NAT but that was to no avail [ip nat inside source static tcp [inside global IP] [outside global IP] 443 extendable]

Any insight or tips would be greatly appreciated before going through that rigamarole!

0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎03-30-2023 12:04 PM

Inisde global or inside local to inside global?

0 Helpful

ifritch.fritchy1
Level 1
Level 1
In response to MHM Cisco World

‎03-30-2023 12:14 PM

Inside Local to Inside Global to Outside Global...  We're attempting a "double NAT" for compliance purposes.  Our Edge firewall is translating our Inside Local to a valid Outside Global which traverses our router however, we want to NAT it once more, so in this instance, the Inside Global is a subjective term.

MHM Cisco World
VIP
VIP
In response to ifritch.fritchy1

‎03-30-2023 12:22 PM - edited ‎03-30-2023 02:45 PM

Use hairpin 

I am out now when return home I will send you doc. About this feature.

Thanks 

MHM

ifritch.fritchy1
Level 1
Level 1
In response to MHM Cisco World

‎03-30-2023 12:23 PM

Thanks!  I'll begin researching it and check out what you post later.

0 Helpful
Customers Also Viewed These Support Documents