Re: NAT over OSPF interface (CISCO ROUTER C8500L-8S4X) - Page 3

penguinunix · ‎08-07-2024

Hi,

I just want to know how can I apply ip nat outside on interface with OSPF enabled:

interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!

--------------- OSPF config ---------------

router ospf 10
redistribute connected
redistribute static route-map PERMIT
!

I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:

interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0

+++ ip nat outside
negotiation auto
!

But the OSPF status turn to DEAD.

My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.

Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:

interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!

My Tunnel configuration:

This is my Tunnel Config:

interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!

---------------------------------------

ip route 10.255.255.0 255.255.255.0 Tunnel01

---------------------------------------

IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.

This is the simple diagram that I can give:

INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)

TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |

Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1

NOTE: I have no access to change any configuration on R2

The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

Any help would be appreciated, since I have trying different config but no success.

MHM Cisco World · ‎08-12-2024

Did you change ospf router-id ?

The NAT either change source of ospf or change the router-id this make ospf down or INIT'

We solve source by using deny ospf any any and we need to solve router-id by config router-id to any random IP.

MHM

penguinunix · ‎08-12-2024

Im not changing router-id

This is the current router ID when in running state:

Router>sh ip ospf interface gigabitEthernet 0/0/1
GigabitEthernet0/0/1 is up, line protocol is up
Internet Address 10.62.1.1/30, Interface ID 9, Area 0
Attached via Interface Enable
Process ID 10, Router ID 192.168.100.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses

Router>sh ip ospf neig

Neighbor ID Pri State Dead Time Address Interface
10.246.9.122 1 FULL/DR 00:00:32 10.62.1.2 GigabitEthernet0/0/1

Already applied acl deny ospf any any and still the OSPF turned to INIT state.

paul driver · ‎08-12-2024

Hello

@penguinunix wrote:

what interface on R1 has ospf enabled - is it the tiunnel interface connecting to R3 ?

Answer: interface on R1 that has ospf enabled is GigabitEthernet0/0/1 is direct interface to R2

GOAL: to perform NAT for ip 10.255.255.0/24 (route via Tunnel01 from the cloud server to R1), so every time it needs to connect to network R2 (OSPF), it will be NAT ed using 10.62.1.1 (the ip which is allowed pass through OSPF network on R2,

that's why I need to NAT ip 10.255.255.0/24 that is passing through Gigabit0/0/1 (to R2), so every time ip 10.255.255.0/24 accessing ip 192.168.10.200, it will only sees ip 10.62.1.1 accessing to it (not 10.255.255.0/24).

My mistake i have the rtrs the wrong away around , The NAT CFG will need to be different now to accomplish this task., so apologies for the confusion..

So not to add any additional confusion, can you confirm is RTR1 the ONLY router do you have control over or RTRx also.
If applicable, Can you post the cfg of both RTR1 & RTRx in a file and attached to this post please.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-12-2024

I only have access to R1, no access to R2

Recap:

OSPF can't be disabled since the R2 using OSPF to advertise their network
Can't advertise 10.255.255.0/24 to R2, because it outside network that is not permitted to pass through R2
No Access to R2, so I have to stick with the current configuration and find a way to make it work

This is the configuration (redacted due to security):

interface Tunnel2
ip address 192.168.100.1 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.X.1
!
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
ip nat inside
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.X.2
!
interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor S input
ip flow monitor S output
ip address X.X.X.3 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!
interface GigabitEthernet0/0/2
description to NETLOC1
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/3
description TO NETLOC2
ip address 10.62.1.9 255.255.255.248
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/4
description to NETLOC3
ip address 192.168.15.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/5
description to INTERNET2
ip address X.X.X.4 255.255.255.252
ip nat outside
negotiation auto
!
interface TenGigabitEthernet0/1/2
description P2P to LAN
ip address 10.62.1.5 255.255.255.252
ip nat inside
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.102.1 255.255.255.0
negotiation auto
!
router ospf 10
redistribute connected
redistribute static route-map PERMIT
!
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0
ip dns server
ip nat translation tcp-timeout 3600
ip nat pool SG 10.62.1.1 10.62.1.1 prefix-length 24
ip nat inside source list INTERNET interface GigabitEthernet0/0/0 overload
ip nat inside source list INTERNET2 interface GigabitEthernet0/0/5 overload
ip nat inside source list SASE pool SG overload
ip route 0.0.0.0 0.0.0.0 X.X.X.3 name To_INTENET track 10
ip route 0.0.0.0 0.0.0.0 X.X.X.4 2 name To_Internet2
ip route 10.255.255.0 255.255.255.0 Tunnel01
!
ip access-list standard permit
.....
120 permit 10.255.255.0 0.0.0.255
130 permit 10.255.254.0 0.0.0.255
140 permit 172.16.20.0 0.0.0.3
150 permit 172.16.21.0 0.0.0.3
!
ip access-list extended INTERNET
.....
90 permit ip 10.62.1.8 0.0.0.7 any
ip access-list extended INTERNET2
.....
90 permit ip 10.62.1.8 0.0.0.7 any
ip access-list extended S
10 permit ip 10.255.254.0 0.0.0.255 any
20 permit ip 10.255.255.0 0.0.0.255 any
30 permit ip 172.16.20.0 0.0.0.3 any
40 permit ip 172.16.21.0 0.0.0.3 any
50 deny ospf any any
60 deny gre any any
70 deny ip any any
!
ip sla 1
icmp-echo X.X.X.3 source-interface GigabitEthernet0/0/0
timeout 6000
frequency 10
ip sla schedule 1 life forever start-time now
!
route-map PERMIT permit 10
match ip address permit

MHM Cisco World · ‎08-12-2024

You add deny ospf any any dwon in list you must make it in top before any permit

MHM

Giuseppe Larosa · ‎08-12-2024

Hello @penguinunix ,

you have two internet handoff exit interfaces in addition to the tunnel and the OSPF interface.

as a best practice you should use route-map with two match statements like the following:

the match interface actually matches the outgoing interface and it allows multiple internet exit interfaces like your case.

route-map ISP1 permit 10

match interface gi0/0/0

match address INTERNET

route-map ISP2 permit 10

match interface gi0/0/5

match address INTERNET2

then you change the internet connectivity in the following manner

no ip nat inside source list INTERNET interface GigabitEthernet0/0/0 overload

that becomes :

ip nat inside route-map ISP1 interface GigabitEthernet0/0/0 overload

no ip nat inside source list INTERNET2 interface GigabitEthernet0/0/5 overload

ip nat inside source route.map ISP2 interface GigabitEthernet0/0/5 overload

We need also to take in account a change in NAT behaviour in IOS XE that is reported in the following link:

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ip-addressing/b-ip-addressing/m_iadnat-addr-consv-xe.html

In IOS XE an interface with ip nat outside is added to the NAT table automatically.

>> In Cisco IOS XE software, NAT outside interfaces show up in the translations tables, by default. This view of NAT outside interfaces causes the connection that originates from the outside interface of the device to fail. To restore connectivity, you must explicitly deny the outside Interface within the NAT ACL using the deny command. After using the deny command, no translation is observed for the outside interface

This is what is happening here when you use ip nat outside on the interface of gi0/0/1 and this breaks the OSPF.

Your ACL named SASE used for NAT must contain the following line

deny ip host 10.62.1.1 any

permit ip 10.255.255.0 0.0.0.255 any

This should fix the OSPF issue removing the ge0/0/1 from the NAT table.

It may be appropriate to use a third route-map for this to check the outgoing interface

route-map SASE permit 10

match interface giga0/0/1

match address SASE

then to change the NAT statement as :

no ip nat inside source list SASE pool SG overload

ip nat inside source route-map SASE pool SG overload

int gi0/0/1

ip nat outside

Hope to help

Giuseppe

penguinunix · ‎08-12-2024

Thanks for the enlightment, will try to apply this on Sunday and hope everything works as expected.

paul driver · ‎08-14-2024

Hello
thanks for sharing the CFG of the NAT rtr (R1)
Your topology diagram doesn't really reflect the configuration of that rtr , however based on rtr1 CFG, you will not be able to use 10.62.1.1 as a nat source for 10.255.255.x UNLESS you are want to use port address translation, this is because 10.62.1.1 is the nat rtr itself, you can use any other ip address as long it free and is reachable from R2's network.

The below CFG should work accordingly allowing source traffic from 10.255.255.x to reach 192.168.1.x in R2s network without R2s network knowing of 10.255.255.0.

In the attached example i have mapped 10.255.255.x <> 10.62.1.100

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-14-2024

Ok, I will try this solution as well, thank you.

paul driver · ‎08-14-2024

Hello
please let us know how you get on?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-14-2024

I can only apply on Sunday, will update after trying it on Sunday, thanks.

penguinunix · ‎08-18-2024

@paul driver @Giuseppe Larosa @MHM Cisco World hi, trying different configuration as suggested, as soon as applied ip nat outside ospf state turn to DEAD / INIT.

Im not sure what is going on, based on experience, it's happening also on Mikrotik, when applying NAT over OSPF interface, the OSPF state turn to DEAD/INIT. Have to do connection tracking, remove the contrack for the ospf and it working normally.

paul driver · ‎08-19-2024

Hello

@penguinunix wrote:
as soon as applied ip nat outside ospf state turn to DEAD / INIT.
Have to do connection tracking, remove the contrack for the ospf and it working normally.

The last cfg solution supplied is based on the CFG your provided and it should work

I dont understand the above, what connection tracking do you have running?, I do not see anything in the CFG you provided in relation to this?
Applying a simple nat domain should not tear down any ospf adjacency, unless you have specified nat statments that will prohibit ospf

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-19-2024

No connection tracking is running on the router, I'm just mentioned that based on previous experience with Mikrotik router, enabling NAT over OSPF enabled interface, causing OSPF to be in DEAD/INIT state. That's why I thought too, there should be no issue running NAT over OSPF enabled interface, but turn out I'm wrong. @bbb bbb has simulated this on lab with interesting result. Will try the solution and see the result on the next Sunday.

bbb bbb · ‎08-19-2024

Dear @penguinunix

Was recreating your scenario on a virtual lab. but this diagram is simpler as it does not have yet the secondary ISP connection and with that may try the route-map instead of access-list as suggested by experts.

So by enabling "debug ip nat" this is what was shown in the logs, the IP address of interface that connects to R2 is being translated.

On this scenario, It was also observed that OSPF neighbor becomes INIT/DROTHER.

In the 2nd line of access list there is a permit ip any

After removing the 2nd line of the access-list, OSPF re-establish. PC1 is now able to reach PC2 and not the networks behind R2.

ping from PC1 to PC2 and to other 192.x.x.x network

Ping from PC2 to PC1

NAT debug output and show ip nat translation in R1

Happy to Help : ]

Best regards,