NAT on an ISR 4331

jamespetitt · ‎01-12-2021

I have a working configuration from a Cisco 2901 router, and loading it in a ISR 4331 I get an error when setting the nat source static ip.

In my configuration, because we have many systems that have the same IP, we use NAT to uniquely address each one.

interface GigabitEthernet0/0
description DUT Gateway
ip vrf forwarding c100
ip address 10.254.253.1 255.255.255.252
ip nat outside
ip nat enable
ip virtual-reassembly
no ip route-cache cef
duplex auto
speed auto
no keepalive
arp timeout 30
no mop enabled
!
...
interface GigabitEthernet0/1.101
encapsulation dot1Q 101
ip vrf forwarding t101
ip address 192.168.100.10 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ntp disable
arp timeout 30
!
...
ip nat source static 192.168.100.1 10.254.254.2 vrf t101
ip nat source static 192.168.100.1 10.254.254.3 vrf t102
...
ip nat source static 10.254.253.2 192.168.100.10 vrf c100
ip nat inside source static 192.168.100.1 10.254.254.2 vrf t101
...
ip nat outside source static 10.254.253.2 192.168.100.10 vrf c100
...

On the 4331 the "ip nat source" command is not allowed and gives an error. I assume this is redundant so I scrapped those lines.

What works:

router#show ip nat trans
Pro  Inside global         Inside local          Outside local         Outside global
---  10.254.254.16         192.168.100.1         ---                   ---
---  10.254.254.4          192.168.100.1         ---                   ---
---  10.254.254.7          192.168.100.1         ---                   ---
---  10.254.254.1          192.168.100.1         ---                   ---
---  10.254.254.2          192.168.100.1         ---                   ---
---  10.254.254.14         192.168.100.1         ---                   ---
---  10.254.254.13         192.168.100.1         ---                   ---
---  10.254.254.11         192.168.100.1         ---                   ---
---  10.254.254.8          192.168.100.1         ---                   ---
---  10.254.254.3          192.168.100.1         ---                   ---
---  10.254.254.6          192.168.100.1         ---                   ---
---  10.254.254.5          192.168.100.1         ---                   ---
---  10.254.254.9          192.168.100.1         ---                   ---
---  10.254.254.10         192.168.100.1         ---                   ---
---  10.254.254.12         192.168.100.1         ---                   ---
---  10.254.254.15         192.168.100.1         ---                   ---
---  ---                   ---                   192.168.100.10        10.254.253.5
Total number of translations: 17

note: that because I am now using a switch module instead of a standalone switch the VLANs are encapsulated and connect to BDI interfaces instead of physical/vlan interfaces.

router#routing-context vrf t101
router%t101#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
router%t101#routing-con
router%t101#routing-context vrf c100
router%c100#ping 10.254.253.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.253.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
router%c100#

Both the inside VRF and outside VRF can reach their respective endpoints, however...

router#show ip nat statistics
Total active translations: 17 (17 static, 0 dynamic; 0 extended)
Outside interfaces:
  GigabitEthernet0/0/0
Inside interfaces:
  BDI101, BDI102, BDI103, BDI104, BDI105, BDI106, BDI107, BDI108, BDI109
  BDI110, BDI111, BDI112, BDI113, BDI114, BDI115, BDI116
Hits: 75  Misses: 23
Expired translations: 23
Dynamic mappings:
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
router#

according to the statistics there are some misses and I cannot ping across the router.

I did try removing the "ip nat source static" commands from the 2901 configuration and although I didn't investigate the failure it did stop working.

Georg Pauwen · ‎01-12-2021

Hello,

I am not really sure I understand what you are asking, but the problem is possibly related to having both:

ip nat outside
ip nat enable

configured at the same time. So, either use one, or the other (with the corresponding static NAT statements), rather than mixing them.

jamespetitt · ‎01-19-2021

Mostly that was a working config for the ISR 2901.

I am having issues with NAT using the ISR 4331. I want to use NAT for IP reuse. I have a switch service module (SM) that connects to devices that have the same IP address. The SM has VLAN'd interfaces and a trunk to the router. The router config uses BDI interfaces that represent each vlan and NAT VRF. Then the outside VRF is configured on the Gi0/0/0, see below:

vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
!
no ipv6 cef
ip feature nat
ip cef
!
!
ip vrf c100
!
ip vrf t101
!
ip vrf t102
!
ip vrf t103
!
ip vrf t104
!
ip vrf t105
!
ip vrf t106
!
ip vrf t107
!
ip vrf t108
!
ip vrf t109
!
ip vrf t110
!
ip vrf t111
!
ip vrf t112
!
ip vrf t113
!
ip vrf t114
!
ip vrf t115
!
ip vrf t116
!
!
!
no ip domain lookup
multilink bundle-name authenticated
!
!
password encryption aes
!
!
license udi pid ISR4331/K9 sn ??????
spanning-tree extend system-id
!
!
archive
 log config
  hidekeys
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip vrf forwarding c100
 ip address 10.254.253.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 negotiation auto
 arp timeout 30
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface Ethernet-Internal1/0/0
 description Switch-Interface1
 negotiation auto
 service instance 101 ethernet
  encapsulation dot1q 101
  rewrite ingress tag pop 1 symmetric
  bridge-domain 101 split-horizon group 0
 !
 service instance 102 ethernet
  encapsulation dot1q 102
  rewrite ingress tag pop 1 symmetric
  bridge-domain 102 split-horizon group 0
 !
 service instance 103 ethernet
  encapsulation dot1q 103
  rewrite ingress tag pop 1 symmetric
  bridge-domain 103 split-horizon group 0
 !
 service instance 104 ethernet
  encapsulation dot1q 104
  rewrite ingress tag pop 1 symmetric
  bridge-domain 104 split-horizon group 0
 !
 service instance 105 ethernet
  encapsulation dot1q 105
  rewrite ingress tag pop 1 symmetric
  bridge-domain 105 split-horizon group 0
 !
 service instance 106 ethernet
  encapsulation dot1q 106
  rewrite ingress tag pop 1 symmetric
  bridge-domain 106 split-horizon group 0
 !
 service instance 107 ethernet
  encapsulation dot1q 107
  rewrite ingress tag pop 1 symmetric
  bridge-domain 107 split-horizon group 0
 !
 service instance 108 ethernet
  encapsulation dot1q 108
  rewrite ingress tag pop 1 symmetric
  bridge-domain 108 split-horizon group 0
 !
 service instance 109 ethernet
  encapsulation dot1q 109
  rewrite ingress tag pop 1 symmetric
  bridge-domain 109 split-horizon group 0
 !
 service instance 110 ethernet
  encapsulation dot1q 110
  rewrite ingress tag pop 1 symmetric
  bridge-domain 110 split-horizon group 0
 !
 service instance 111 ethernet
  encapsulation dot1q 111
  rewrite ingress tag pop 1 symmetric
  bridge-domain 111 split-horizon group 0
 !
 service instance 112 ethernet
  encapsulation dot1q 112
  rewrite ingress tag pop 1 symmetric
  bridge-domain 112 split-horizon group 0
 !
 service instance 113 ethernet
  encapsulation dot1q 113
  rewrite ingress tag pop 1 symmetric
  bridge-domain 113 split-horizon group 0
 !
 service instance 114 ethernet
  encapsulation dot1q 114
  rewrite ingress tag pop 1 symmetric
  bridge-domain 114 split-horizon group 0
 !
 service instance 115 ethernet
  encapsulation dot1q 115
  rewrite ingress tag pop 1 symmetric
  bridge-domain 115 split-horizon group 0
 !
 service instance 116 ethernet
  encapsulation dot1q 116
  rewrite ingress tag pop 1 symmetric
  bridge-domain 116 split-horizon group 0
 !
!
interface Ethernet-Internal1/0/1
 description SW-Interface2
 shutdown
!
interface BDI101
 ip vrf forwarding t101
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI102
 ip vrf forwarding t102
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI103
 ip vrf forwarding t103
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI104
 ip vrf forwarding t104
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI105
 ip vrf forwarding t105
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI106
 ip vrf forwarding t106
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI107
 ip vrf forwarding t107
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI108
 ip vrf forwarding t108
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI109
 ip vrf forwarding t109
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI110
 ip vrf forwarding t110
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI111
 ip vrf forwarding t111
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI112
 ip vrf forwarding t112
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI113
 ip vrf forwarding t113
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI114
 ip vrf forwarding t114
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI115
 ip vrf forwarding t115
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface BDI116
 ip vrf forwarding t116
 ip address 192.168.100.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 arp timeout 30
!
interface Vlan1
 no ip address
 shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
ip nat inside source static 192.168.100.1 10.254.254.1 vrf t101
ip nat inside source static 192.168.100.1 10.254.254.2 vrf t102
ip nat inside source static 192.168.100.1 10.254.254.3 vrf t103
ip nat inside source static 192.168.100.1 10.254.254.4 vrf t104
ip nat inside source static 192.168.100.1 10.254.254.5 vrf t105
ip nat inside source static 192.168.100.1 10.254.254.6 vrf t106
ip nat inside source static 192.168.100.1 10.254.254.7 vrf t107
ip nat inside source static 192.168.100.1 10.254.254.8 vrf t108
ip nat inside source static 192.168.100.1 10.254.254.9 vrf t109
ip nat inside source static 192.168.100.1 10.254.254.10 vrf t110
ip nat inside source static 192.168.100.1 10.254.254.11 vrf t111
ip nat inside source static 192.168.100.1 10.254.254.12 vrf t112
ip nat inside source static 192.168.100.1 10.254.254.13 vrf t113
ip nat inside source static 192.168.100.1 10.254.254.14 vrf t114
ip nat inside source static 192.168.100.1 10.254.254.15 vrf t115
ip nat inside source static 192.168.100.1 10.254.254.16 vrf t116
ip nat outside source static 10.254.253.5 192.168.100.10 vrf c100
!

This configuration is not working. Maybe I am missing something.