08-07-2024 01:05 AM - edited 08-07-2024 02:55 AM
Hi,
I just want to know how can I apply ip nat outside on interface with OSPF enabled:
interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!
--------------- OSPF config ---------------
router ospf 10
redistribute connected
redistribute static route-map PERMIT
!
I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:
interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
+++ ip nat outside
negotiation auto
!
But the OSPF status turn to DEAD.
My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.
Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:
interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!
My Tunnel configuration:
This is my Tunnel Config:
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!
---------------------------------------
ip route 10.255.255.0 255.255.255.0 Tunnel01
---------------------------------------
IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.
This is the simple diagram that I can give:
INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)
TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |
Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1
NOTE: I have no access to change any configuration on R2
The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.
10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)
Any help would be appreciated, since I have trying different config but no success.
08-07-2024 01:47 AM
Dear @penguinunix,
""
@penguinunix wrote:My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.
""
How about creating a VLAN sub-interface for network 10.255.255.0/24 (or a separate physical interface or a loopback interface for this network within R1) . Then a static route in R1 for destination to 10.62.x.x subnet will be pointing to G0/0/1. Then from there test and try around the NAT configuration as per your requirement.
please also check this link that might help as reference.
HtH : ]
Best regards,
08-07-2024 02:05 AM
Hi,
This is my Tunnel Config:
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!
---------------------------------------
ip route 10.255.255.0 255.255.255.0 Tunnel01
I'm not sure that creating VLAN for Tunnel01 would help, but your solution on creating a loopback interface maybe can help, but in this case, I have no access to change the configuration on the R2 (other OSPF router), so I have to stick with the current OSPF configuration.
Also, the reference to the solution from the link you have sent apparently no longer working, I got Access Denied when visiting link on the Accepted Solution from the link you have sent.
08-07-2024 04:56 AM
Dear @penguinunix ,
Just wondering in the tunnel interface configuration, it is using G0/0/0 as tunnel source.. what if its replaced with G0/0/1?
Best regards
08-07-2024 06:28 AM
Hi,
Tunnel is created over internet connected to other public server address, interface gi0/0/1 is direct interface to other local network with OSPF enabled.
08-07-2024 07:08 AM
Can I see your topolgy please
MHM
08-07-2024 07:13 PM - edited 08-08-2024 06:33 PM
This is the simple topology I can give to you, Tunnel01 via Gigabit0/0/0, the network 10.255.255.0/24 need to access 192.168.10.200, because the only permitted address to access 192.168.10.200 is 10.62.1.1, I need to NAT 10.255.255.0/24 address so the address 10.255.255.0/24 NAT to 10.62.1.1.
10.255.255.0/24 route via Tunnel01 interface from R1.
NOTE: I have no access to R2, and there is not possible to add any configuration on the Tunnel01(Tunnel Server) except to add routing table.
08-09-2024 01:55 AM
I dont see anything wrong'
Did you try use deny in NAT acl?
If Yes and same issue appear pleade share
Debug ip ospf adj
MHM
08-09-2024 06:22 AM
Will try your solution as well, it crossed my mind but haven't applied it before.
08-07-2024 02:15 AM - edited 08-07-2024 02:20 AM
Hello @penguinunix ,
have you created an appropriate ACL to be used with NAT
>> 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1
access-list 10 remark NAT for OSPF network
access-list 10 pemit 10.255.255.0 0.0.0.255
ip nat source inside list 10 interface gi1/0/1 overload
! Edit
reading again your requirements you want to do the opposite 10.255.255.0/24 is on the remote end
you should use this line instead
ip nat ouside source list 10 interface gi1/0/1 overload
You need to flag internal network with ip nat inside.
Edit 2:
the network 10.255.255.0/24 is learned over a GRE p2p tunnel to be honest I don't see any need for NAT here. The tunnel can be used to fix this.
Hope to help
Giuseppe
08-07-2024 02:18 AM - edited 08-07-2024 02:56 AM
Hi, I have applied the same configuration you've sent on your reply:
interface GigabitEthernet0/0/1
description P2P_to_RouterGIS
ip address 10.62.1.1 255.255.255.252
ip nat outside
ip ospf 10 area 0
negotiation auto
!
ip nat inside source list S interface GigabitEthernet0/0/1 overload
ip access-list extended S
10 permit ip 10.255.255.0 0.0.0.255 any
But as soon as I applied ip nat outside on the Gig0/0/1 the OSPF state turned to INIT.
The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.
10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)
08-07-2024 02:52 AM
Hi @Giuseppe Larosa ,
Reading your edited reply:
ip nat ouside source list 10 interface gi1/0/1 overload
I will try to apply this, I still need the rule ip nat source inside list 10 interface gi1/0/1 overload right?
08-07-2024 03:26 AM
Friend I dont see how NAT effect OSPF but anyway to solve this use
Ip access-list extended ospf
Deny ospf any any <- exclude ospf from NAT acl
Deny gre any any <- exclude gre from NAT acl
Permit ip <subnet> any <<- subnet you want to NATing
Then
Ip nat inside source list ospf interface x/x overload
MHM
08-07-2024 03:34 AM
Will try this and update soon
08-07-2024 07:13 AM
Hello @penguinunix ,
actually your scenario calls for something different you have a static route using the p2p GRE tunnel for destination network 10.255.255.0/24 . So actually interface gi1/0/1 is not the right place to apply nat on it.
Do both commands referring to ge1/0/1 are not good for you and they should be removed.
I apologize for having created confusion.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide