NAT on CE router in wide MPLS network

addelanto · ‎09-17-2021

Hi

I have a TLC device attached to a CE router connected to a MPLS network.

From our corporate private LAN I can reach the LAN of the router , 10.201.57.0/24 ,

my target is to reach the TLC device , that has ip address 192.168.0.251/24 by

the "public" ip address 10.201.57.254 , the mpls ip of the router that we agreed with our provider.

I then asked the provider to create a private LAN on the router, 192.168.0.0/24 , give it a gw on a VLAN interface ,

192.168.0.254, configure in access mode on thet vlan the port the tlc devce is attached to, and i asked to create a NAT ( PAT ) between the LAN network router ip 10.201.57.254 and the local network ip of the device 192.168.0.251 , in such a way that :

10.201.57.254:8080 --> 192.168.0.251:8080

What happens:

If I try to reach the 10.201.57.254 on tcp port 8080 from the router LAN ( a PC with ip address 10.201.57.51 for instance ) PAT works , it can reach the TLC device on its port 8080 .

If I try to reach the 10.201.57.254 on tcp port 8080 from MPLS network ( anything in mpls network, from my PC in enterprise private network that can see the whole MPLS network ) it doesn't work , technician from the provider told me that he can see the requests coming in but nothing goes outside to answer the request .

I'm wondering if mtu issues are arising, or something that drop return traffic ..

Any idea?

Thanks

Regards

Antonello

Georg Pauwen · ‎09-17-2021

Hello,

do you have a topplogy diagram showing how your devices are connected, as well as the relevant configurations ?

addelanto · ‎09-17-2021

Hello George

I've a diagram summarizing the infrastructure on the field , you can find it in attachment ,

on next monday I'll attach some lines of conf.

Please keep in mind that the router is managed by our provider, I have no access and i have to ask them for any

info ( configuration, get conf, and so on )

Thanks a lot

Antonello

paul driver · ‎09-17-2021

Hello
Fastweb rtr
Porta 2 and Porta 3 duplicate the same subnet is this a typo?

Lan interface (Porta3) - inside nat 192.168.0.0/24 D/G 192.168.0.251
WAN interface (Porta1)- outside nat 10.201.57.0/24

From what you have explained, Porta 2 or 3 subnet is a "hidden" nat network so when a host on the "outside" 10.201.57.1 connects 10.201.57.254:8080 NAT will initiate and be directed to host 192.168.0.1:8080

However any initiation from the mpls porta 0 won’t work as that network it isn’t aware of 192.168.0.0/24 its only aware of advertised networks not hidden networks like 192.168.0.0/24 plus nat isnt even applied to any of porta 0 connected interfaces for translation.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

addelanto · ‎09-18-2021

Hi Paul

RTU ( ip address 192.168.0.251 ) device is attached to router port Fastethernet 2

PLC ( ip address 192.168.0.1 9 device is attached to router port Fastethernet 3

Maybe the picture is not accurate , my colleague depicted it fastly ,

I obscured with "x" the public addresses from now on

Follows what in my mind should be easy to realize :

interface vlan2
ip address 10.201.57.254 255.255.255.0
ip nat outside

interface vlan3
ip address 192.168.0.254 255.255.255.0
ip nat inside

ip nat inside source 192.168.0.0 0.0.0.255 interface vlan2 overload

ip nat inside source static tcp 192.168.0.251 8080 int (vlan2 | 10.201.57.254) 8080
ip nat inside source static tcp 192.168.0.251 2404 int (vlan2 | 10.201.57.254) 2404
ip nat inside source static tcp 192.168.0.251 5052 int (vlan2 | 10.201.57.254) 5052

At the moment the router is configured as follows ( if you need further infos i've to ask provider for ) :

!
interface Tunnel1
description "if Tunnel vso Concentratore Principale - xxxxxxxxx"
ip address 172.16.1.26 255.255.255.252
load-interval 30
tunnel source FastEthernet4
tunnel destination xxxxxxxxxxxx
!
interface Tunnel2
description "if Tunnel vso Concentratore Secondario -xxxxxxxxxx"
ip address 172.16.1.30 255.255.255.252
load-interval 30
tunnel source FastEthernet4
tunnel destination xxxxxxxxxxx
!
interface FastEthernet0
description "Collegamento LAN Cliente"
switchport access vlan 2
no ip address
load-interval 30
duplex full
speed 100
!
interface FastEthernet1
description "Collegamento LAN Cliente"
switchport access vlan 2
no ip address
load-interval 30
duplex full
speed 100
!
interface FastEthernet2
description "Collegamento LAN Cliente"
switchport access vlan 3
no ip address
load-interval 30
duplex full
speed 100
!
interface FastEthernet3
description "Collegamento LAN Cliente"
switchport access vlan 3
no ip address
load-interval 30
duplex full
speed 100
!
interface FastEthernet4
description "Link WAN"
ip address dhcp
load-interval 30
duplex auto
speed auto
service-policy input CHECK-DOWN
service-policy output SHAPE-PROTECT-UP
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description "Collegamento LAN Cliente"
ip address 10.201.57.254 255.255.255.0
ip helper-address 192.168.30.1
ip helper-address 10.60.0.3
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1400
no autostate
service-policy input FW-CLASS-MARK-UP-LIMIT
service-policy output REMOVE-DOWN
!
interface Vlan3
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router bgp xxxxxx
xxxxxxx

ip local policy route-map FW_NETWORK
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip tftp source-interface Loopback7
ip nat inside source list 44 interface Vlan2 overload
ip nat inside source static tcp 192.168.0.251 2404 10.201.57.254 2404 extendable
ip nat inside source static udp 192.168.0.251 2404 10.201.57.254 2404 extendable
ip nat inside source static tcp 192.168.0.251 5052 10.201.57.254 5052 extendable
ip nat inside source static udp 192.168.0.251 5052 10.201.57.254 5052 extendable
ip nat inside source static tcp 192.168.0.251 8080 10.201.57.254 8080 extendable
ip nat inside source static udp 192.168.0.251 8080 10.201.57.254 8080 extendable
ip route 0.0.0.0 0.0.0.0 Null0 250

access-list 44 permit 192.168.0.0 0.0.0.255

Debug ip nat shows :

Sep 8 10:22:13.114: NAT*: s=192.168.192.38, d=10.201.57.254->192.168.0.251 [58925]

192.168.192.38 is my pc ip address, on corporate vpn lan able to see the mpls cloud

Route table when we made tests:

#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is 172.16.1.25 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 172.16.1.25, 1w1d
xxxxxxxxxxxx
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.130.150.1/32 [254/0] via 93.57.192.1, FastEthernet4
C 10.201.57.0/24 is directly connected, Vlan2
L 10.201.57.254/32 is directly connected, Vlan2
xxxxxxx/8 is variably subnetted, 3 subnets, 3 masks
C xxxxxxx is directly connected, FastEthernet4
L xxxxxxxxx is directly connected, FastEthernet4
S xxxxxxxx [1/0] via xxxxxxx
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.1.24/30 is directly connected, Tunnel1
L 172.16.1.26/32 is directly connected, Tunnel1
C 172.16.1.28/30 is directly connected, Tunnel2
L 172.16.1.30/32 is directly connected, Tunnel2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Vlan3
L 192.168.0.254/32 is directly connected, Vlan3

#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.201.57.254 - 70ea.1ac7.3d82 ARPA Vlan2
Internet xxxxxxxx 00a0.bc22.a06e ARPA FastEthernet4
Internet xxxxxxxx - 70ea.1ac7.3d86 ARPA FastEthernet4
Internet 192.168.0.1 0 ac64.17a2.55d3 ARPA Vlan3
Internet 192.168.0.251 0 0012.c300.8ad8 ARPA Vlan3
Internet 192.168.0.254 - 70ea.1ac7.3d82 ARPA Vlan3

We don't want 192.168.0.0/24 network to be visible in MPLS cloud, but we'd like to reach the two devices behind

with a NAT/PAT service.

Sorry for my bad explanation, hoping now the issue is better defined.

Thanks a lot

Regards

Antonello

paul driver · ‎09-18-2021

Hello

so vlan 2 is your “public” natted interface so anything arriving on this interface for those defined udp/tcp ports should go to hidden host 192.168.0.251- Any traffic arriving on any other interface should not be natted

However doesn’t the mpls physical connection reside on Fa04 and then your logical gre tunnels source from it if so its on the gre tunnels where you need to apply the nat outside domain not on vlan2 svi

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

addelanto · ‎09-18-2021

@paul driver wrote:
Hello
so vlan 2 is your “public” natted interface so anything arriving on this interface for those defined udp/tcp ports should go to hidden host 192.168.0.251- Any traffic arriving on any other interface should not be natted

Hello

This is correct, that's al least we would like to impement .

However doesn’t the mpls physical connection reside on Fa04 and then your logical gre tunnels source from it if so its on the gre tunnels where you need to apply the nat outside domain not on vlan2 svi

ok, but if I configure the tunnel interface as ip nat outside one , its ip address should be reachable from my private enterprise lan ... ( I should make a call like http://172.16.1.26:8080 ) or do you mean something else?

Sorry, I'm a little bit confused .... one more info : a guy made this test last week :

He connected a PC to the router and it gets ip address 10.201.57.51 .

Form the PC it opened successfully a connection to he RTU calling in a browser http://10.201.57.254:8080,

so the NAT was working ... the 10.201.57.0/24 network is the only ne I can reach from corporate private LAN.

Thanks

Antonello