Re: NAT over OSPF interface (CISCO ROUTER C8500L-8S4X)

penguinunix · ‎08-07-2024

Hi,

I just want to know how can I apply ip nat outside on interface with OSPF enabled:

interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!

--------------- OSPF config ---------------

router ospf 10
redistribute connected
redistribute static route-map PERMIT
!

I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:

interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0

+++ ip nat outside
negotiation auto
!

But the OSPF status turn to DEAD.

My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.

Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:

interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!

My Tunnel configuration:

This is my Tunnel Config:

interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!

---------------------------------------

ip route 10.255.255.0 255.255.255.0 Tunnel01

---------------------------------------

IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.

This is the simple diagram that I can give:

INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)

TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |

Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1

NOTE: I have no access to change any configuration on R2

The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

Any help would be appreciated, since I have trying different config but no success.

bbb bbb · ‎08-07-2024

Dear @penguinunix,

""

@penguinunix wrote:
My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.

""

How about creating a VLAN sub-interface for network 10.255.255.0/24 (or a separate physical interface or a loopback interface for this network within R1) . Then a static route in R1 for destination to 10.62.x.x subnet will be pointing to G0/0/1. Then from there test and try around the NAT configuration as per your requirement.

please also check this link that might help as reference.

https://community.cisco.com/t5/routing/using-nat-through-a-tunnel-interface-on-a-1921-router/td-p/2406521

HtH : ]

Best regards,

penguinunix · ‎08-07-2024

Hi,

This is my Tunnel Config:

interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!

---------------------------------------

ip route 10.255.255.0 255.255.255.0 Tunnel01

I'm not sure that creating VLAN for Tunnel01 would help, but your solution on creating a loopback interface maybe can help, but in this case, I have no access to change the configuration on the R2 (other OSPF router), so I have to stick with the current OSPF configuration.

Also, the reference to the solution from the link you have sent apparently no longer working, I got Access Denied when visiting link on the Accepted Solution from the link you have sent.

bbb bbb · ‎08-07-2024

Dear @penguinunix ,

Just wondering in the tunnel interface configuration, it is using G0/0/0 as tunnel source.. what if its replaced with G0/0/1?

Best regards

penguinunix · ‎08-07-2024

Hi,

Tunnel is created over internet connected to other public server address, interface gi0/0/1 is direct interface to other local network with OSPF enabled.

MHM Cisco World · ‎08-07-2024

Can I see your topolgy please

MHM

penguinunix · ‎08-07-2024

This is the simple topology I can give to you, Tunnel01 via Gigabit0/0/0, the network 10.255.255.0/24 need to access 192.168.10.200, because the only permitted address to access 192.168.10.200 is 10.62.1.1, I need to NAT 10.255.255.0/24 address so the address 10.255.255.0/24 NAT to 10.62.1.1.

10.255.255.0/24 route via Tunnel01 interface from R1.

NOTE: I have no access to R2, and there is not possible to add any configuration on the Tunnel01(Tunnel Server) except to add routing table.

MHM Cisco World · ‎08-09-2024

I dont see anything wrong'

Did you try use deny in NAT acl?

If Yes and same issue appear pleade share

Debug ip ospf adj

MHM

penguinunix · ‎08-09-2024

Will try your solution as well, it crossed my mind but haven't applied it before.

Giuseppe Larosa · ‎08-07-2024

Hello @penguinunix ,

have you created an appropriate ACL to be used with NAT

>> 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1

access-list 10 remark NAT for OSPF network

access-list 10 pemit 10.255.255.0 0.0.0.255

ip nat source inside list 10 interface gi1/0/1 overload

! Edit

reading again your requirements you want to do the opposite 10.255.255.0/24 is on the remote end

you should use this line instead

ip nat ouside source list 10 interface gi1/0/1 overload

You need to flag internal network with ip nat inside.

Edit 2:

the network 10.255.255.0/24 is learned over a GRE p2p tunnel to be honest I don't see any need for NAT here. The tunnel can be used to fix this.

Hope to help

Giuseppe

penguinunix · ‎08-07-2024

Hi, I have applied the same configuration you've sent on your reply:

interface GigabitEthernet0/0/1
description P2P_to_RouterGIS
ip address 10.62.1.1 255.255.255.252
ip nat outside
ip ospf 10 area 0
negotiation auto
!
ip nat inside source list S interface GigabitEthernet0/0/1 overload

ip access-list extended S
10 permit ip 10.255.255.0 0.0.0.255 any

But as soon as I applied ip nat outside on the Gig0/0/1 the OSPF state turned to INIT.

The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

penguinunix · ‎08-07-2024

Hi @Giuseppe Larosa ,

Reading your edited reply:

ip nat ouside source list 10 interface gi1/0/1 overload

I will try to apply this, I still need the rule ip nat source inside list 10 interface gi1/0/1 overload right?

MHM Cisco World · ‎08-07-2024

Friend I dont see how NAT effect OSPF but anyway to solve this use

Ip access-list extended ospf

Deny ospf any any <- exclude ospf from NAT acl

Deny gre any any <- exclude gre from NAT acl

Permit ip <subnet> any <<- subnet you want to NATing

Then

Ip nat inside source list ospf interface x/x overload

MHM

penguinunix · ‎08-07-2024

Will try this and update soon

Giuseppe Larosa · ‎08-07-2024

Hello @penguinunix ,

actually your scenario calls for something different you have a static route using the p2p GRE tunnel for destination network 10.255.255.0/24 . So actually interface gi1/0/1 is not the right place to apply nat on it.

Do both commands referring to ge1/0/1 are not good for you and they should be removed.

I apologize for having created confusion.

Hope to help

Giuseppe