12-01-2015 08:12 AM - edited 03-05-2019 02:50 AM
Hi,
I would like to set up NAT on a stick. How can I do it on CSR 1000v? Any working examples would be good.
policy route-map command is what people have commonly use to NAT traffic based on destination.
However, the command is not available on CSR1000v, what can I do about it ?
ip policy route-map Nat-loop
12-02-2015 06:20 PM
Why would you want to do that, when everything leaving and entering via the Internet is already NATed for you by Amazon?
12-06-2015 11:56 PM
I am using CSR 1000v on Amazon to establish IPSEC VPN tunnels with remote VPN partners.
Some may require us to perform source NATing prior to sending it through the tunnel.
Any advice on how I can do that ?
12-10-2015 10:26 AM
You may be able to use FlexVPN and VTI's. That would provide you with interfaces to do NAT. That would be my first choice.
Failing that, a nasty trick that may work (never tried it myself) - create two loop back interfaces. Build a GRE tunnel from one loopback to another loopback. Then you can statically route traffic into the GRE tunnel - which will come straight back to you, and use a route-map to do the final forward. That would let you use "ip nat inside" and "ip nat outside".
Another thought going through my mind is to create an extra vrf "outside", put one loopback into the outside vrf, and then build you GRE tunnel between the inside and outside vrfs. That will give you two completely seperate routing tables, and you wont need any policy routing.
You could also explore doing vrf NAT, which does not require an "ip nat inside" or "ip nat outside". You can also do vrf nat within a vrf. Check out the "ip nat enable" command and vrf NAT.
04-27-2018 04:57 AM
I have similar requirement and I want NAT traffic on AWS transit VPC CSR router so if anyone tested this NAT setup then please be inform working solution.
12-10-2015 12:50 AM
Anyone able to advise on this ?
05-04-2016 04:34 AM
Just putting a note here for anybody looking for the solution.
For reference: NAT with crypto map (and other restrictions) is not supported for CSR on AWS - http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsoverview.pdf
The workaround is to create vrf for NAT operation and run VASI between global and VRF. Traffic from inside local must be PBRs into VASI to reach VRF.
Diagram:
+---------------+ vasiright200 | CSR1000v +---------------+ | vrf X | | +------+--------+ | vasileft200 | vasiright100 | | +-------+-------+ | | CSR1000v | +----------------+ Global RIB | vasileft100 +------+--------+ | physical interface +------+--------+ | AWS cloud | +---------------+
VRF part:
interface vasiright100 vrf for X ip address 10.0.1.2 255.255.255.252 no ip unreach no ip redi ip nat inside ! interface vasiright200 vrf for X ip address 10.0.2.2 255.255.255.252 no ip unreach no ip redi ip nat outside ! ip route vrf X <inside local> 255.255.255.255 vasiright100 ip route vrf X 0.0.0.0 0.0.0.0 vasiright200 ip nat inside source static <inside local> <inside global> vrf X match-in-vrf
ip route <inside global> 255.255.255.255 vasileft200
For complex designs you may run BGP between VRFs over VASI interfaces.
05-29-2016 08:03 AM
Does the "No NAT with crypto" limitation apply only in this "NAT on a Stick" situation? The document states "You cannot apply NAT PAT on the same interface that is configured with a crypto map", but in my case, I have a second interface which is my `nat inside`.
I have AWS VPC's X and Y connected to my VPC A's CSR 1000v via IPSEC/AWS VPN Gateway and I would like to have all traffic destined for the internet from VPC X and Y, go through the 1000V in VPC A. Is this possible?
08-22-2018 11:39 AM
I don't think the "No NAT with crypto" option applies if you're using two interfaces. Like you said, the crypto map is only attached to the outside interface.
We had a configuration need similar to yours cbbristol, except that our CSR and endpoints in AWS were in the same VPC and needing to connect through an ipsec tunnel to a remote ASA. We needed to NAT the two interfaces so they could communicate with our endpoints Elastic IP. Here's a basic config outline:
Fake Endpoint:
private IP: 10.2.1.10
Elastic IP: 373.424.545.617
CSR
interface GigabitEthernet1
ip address 10.1.1.1
ip nat outside
negotiation auto
crypto map your_map
interface GigabitEthernet2
ip address 10.2.1.1
negotiation auto
ip nat inside
access-list 100 permit ip host 10.2.1.10 10.1.1.0 0.0.0.255
route-map topartners permit 10
match ip address 100
ip nat inside source static 10.2.1.10 373.424.545.617 route-map topartners
This worked for us. Also apparently even though your outside interface is configured with its private IP, a remote router can still send traffic using your CSR's elastic IP and your Endpoints elastic IP. I guess AWS takes care of that translation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: