08-03-2021 12:23 AM
hi all,
i try to set up NAT on stick on ISR 4331 like it described in the article - https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6505-nat-on-stick.html
But unfortunately it doesn't operate. I see that route-map is working since the number of match packets increases. But traffic (icmp, tcp, etc) doesn't leave device. show ip nat translations command shows that there is no translations. It looks that packets redirected to loopback network traffic just blackholed.
-----------
ISR 4331 software version -- 16.09.07
-----------
interface Loopback0
ip address 10.10.102.133 255.255.255.252
ip nat inside
interface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP
interface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside
ip policy route-map MAP-SET-NHOP
ip nat pool NAT-POOL 10.10.102.7 10.10.102.7 netmask 255.255.255.128
ip nat inside source list NAT-NETS pool NAT-POOL overload
ip route 10.11.19.1 255.255.255.255 10.11.18.45
ip route 192.168.104.101 255.255.255.255 10.10.102.2
ip access-list extended NAT-NETS
permit ip host 192.168.104.101 host 10.11.19.1
route-map MAP-SET-NHOP permit 10
match ip address NAT-NETS
set ip next-hop 10.10.102.134
----------------------
Any help is really appreciated.
Thanks
Best Regards,
Dmitry
Solved! Go to Solution.
08-03-2021 04:06 AM
hi to everyone,
we've opened case in TAC and got answer:
NAT on a stick is not a supported feature on IOS-XE. In IOS-XE traffic does not get translated when passing through an “ip nat inside” interface to “ip nat inside” interface.
Thanks for everyone who tried to help us.
Best regards,
Dmitry
08-03-2021 01:32 AM - edited 08-03-2021 01:40 AM
Hello
I dont see NAT applied to the called PBR interface plus the looks like PBR is applied to the wrong interface?
nterface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP <--- not required if this is the outside next hop interface?
ip nat outside <--missing
nterface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside (inside)-- if this is your internal interface then inside nat ( ip nat inside) needs to be applied
ip policy route-map MAP-SET-NHOP
08-03-2021 01:56 AM - edited 08-03-2021 02:08 AM
thanks for your answer!
it's my fault. Interface GigabitEthernet1.10 is incoming, interface GigabitEthernet2.6 is outcoming. So GigabitEthernet2.6 has ip nat outside and don't need to have ip policy route-map MAP-SET-NHOP command.
So, right config on the interfaces is:
interface Loopback0
ip address 10.10.102.133 255.255.255.252
ip nat inside
#incoming interface
interface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP
# outgoing interface
interface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside
But the situation is the same, traffic doesn't come out. I've captured packets on interface GigabitEthernet2.6 and it doesn't transmit traffic from acl NAT-NETS , neither NATed nor not-NATed.
08-03-2021 06:01 AM
Hello
first of all my understanding NAT44 is supported on ios-xe however unless i check not sure if it either domain or domainless NAT or both also you need to apply nat on the physical internal interface for nat to work unless that is you are trying to perform hairping
Can you elaborate on what your trying to achieve?
08-04-2021 05:24 AM - edited 08-04-2021 05:25 AM
@paul driver wrote:Hello
first of all my understanding NAT44 is supported on ios-xe however unless i check not sure if it either domain or domainless NAT or both also you need to apply nat on the physical internal interface for nat to work unless that is you are trying to perform hairping
Can you elaborate on what your trying to achieve?
thanks for your response!
generally we have multiple incoming interfaces (including Virtual-Template interfaces for VPN-clients) traffic from which has to be NATed. In order avoid adding ip nat inside command on each they have ip policy route-map MAP-SET-NHOP that redirect traffic to interface Loopback0. It contains ip nat inside command and works as single point of nat inside. That works perfect on IOS, but not on IOS-XE.
Best regards,
Dmirty
08-03-2021 04:06 AM
hi to everyone,
we've opened case in TAC and got answer:
NAT on a stick is not a supported feature on IOS-XE. In IOS-XE traffic does not get translated when passing through an “ip nat inside” interface to “ip nat inside” interface.
Thanks for everyone who tried to help us.
Best regards,
Dmitry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide