Solved: Nat on stick Cisco ISR 4331

dmitry_pozharsky · ‎08-03-2021

hi all,

i try to set up NAT on stick on ISR 4331 like it described in the article - https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6505-nat-on-stick.html

But unfortunately it doesn't operate. I see that route-map is working since the number of match packets increases. But traffic (icmp, tcp, etc) doesn't leave device. show ip nat translations command shows that there is no translations. It looks that packets redirected to loopback network traffic just blackholed.

-----------

ISR 4331 software version -- 16.09.07

-----------

interface Loopback0
ip address 10.10.102.133 255.255.255.252
ip nat inside

interface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP

interface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside
ip policy route-map MAP-SET-NHOP

ip nat pool NAT-POOL 10.10.102.7 10.10.102.7 netmask 255.255.255.128
ip nat inside source list NAT-NETS pool NAT-POOL overload

ip route 10.11.19.1 255.255.255.255 10.11.18.45
ip route 192.168.104.101 255.255.255.255 10.10.102.2

ip access-list extended NAT-NETS
permit ip host 192.168.104.101 host 10.11.19.1

route-map MAP-SET-NHOP permit 10
match ip address NAT-NETS
set ip next-hop 10.10.102.134

----------------------

Any help is really appreciated.

Thanks

Best Regards,

Dmitry

dmitry_pozharsky · ‎08-03-2021

hi to everyone,

we've opened case in TAC and got answer:

NAT on a stick is not a supported feature on IOS-XE.
In IOS-XE traffic does not get translated when passing through an “ip nat inside” interface to  “ip nat inside” interface.

Thanks for everyone who tried to help us.

Best regards,

Dmitry

View solution in original post

paul driver · ‎08-03-2021

Hello

I dont see NAT applied to the called PBR interface plus the looks like PBR is applied to the wrong interface?

nterface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP <--- not required if this is the outside next hop interface?
ip nat outside <--missing

nterface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside (inside)-- if this is your internal interface then inside nat ( ip nat inside) needs to be applied
ip policy route-map MAP-SET-NHOP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dmitry_pozharsky · ‎08-03-2021

@paul driver

thanks for your answer!

it's my fault. Interface GigabitEthernet1.10 is incoming, interface GigabitEthernet2.6 is outcoming. So GigabitEthernet2.6 has ip nat outside and don't need to have ip policy route-map MAP-SET-NHOP command.

So, right config on the interfaces is:

interface Loopback0
ip address 10.10.102.133 255.255.255.252
ip nat inside

#incoming interface
interface GigabitEthernet1.10
encapsulation dot1Q 10
ip address 10.10.102.21 255.255.255.128
ip policy route-map MAP-SET-NHOP

# outgoing interface
interface GigabitEthernet2.6
encapsulation dot1Q 6
ip address 10.11.18.46 255.255.255.252
no ip redirects
ip nat outside

But the situation is the same, traffic doesn't come out. I've captured packets on interface GigabitEthernet2.6 and it doesn't transmit traffic from acl NAT-NETS , neither NATed nor not-NATed.

paul driver · ‎08-03-2021

Hello

first of all my understanding NAT44 is supported on ios-xe however unless i check not sure if it either domain or domainless NAT or both also you need to apply nat on the physical internal interface for nat to work unless that is you are trying to perform hairping

Can you elaborate on what your trying to achieve?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dmitry_pozharsky · ‎08-04-2021

@paul driver wrote:
Hello
first of all my understanding NAT44 is supported on ios-xe however unless i check not sure if it either domain or domainless NAT or both also you need to apply nat on the physical internal interface for nat to work unless that is you are trying to perform hairping

Can you elaborate on what your trying to achieve?

@paul driver

thanks for your response!

generally we have multiple incoming interfaces (including Virtual-Template interfaces for VPN-clients) traffic from which has to be NATed. In order avoid adding ip nat inside command on each they have ip policy route-map MAP-SET-NHOP that redirect traffic to interface Loopback0. It contains ip nat inside command and works as single point of nat inside. That works perfect on IOS, but not on IOS-XE.

Best regards,

Dmirty

dmitry_pozharsky · ‎08-03-2021

hi to everyone,

we've opened case in TAC and got answer:

NAT on a stick is not a supported feature on IOS-XE.
In IOS-XE traffic does not get translated when passing through an “ip nat inside” interface to  “ip nat inside” interface.

Thanks for everyone who tried to help us.

Best regards,

Dmitry