08-07-2024 01:05 AM - edited 08-07-2024 02:55 AM
Hi,
I just want to know how can I apply ip nat outside on interface with OSPF enabled:
interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!
--------------- OSPF config ---------------
router ospf 10
redistribute connected
redistribute static route-map PERMIT
!
I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:
interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
+++ ip nat outside
negotiation auto
!
But the OSPF status turn to DEAD.
My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.
Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:
interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!
My Tunnel configuration:
This is my Tunnel Config:
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!
---------------------------------------
ip route 10.255.255.0 255.255.255.0 Tunnel01
---------------------------------------
IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.
This is the simple diagram that I can give:
INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)
TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |
Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1
NOTE: I have no access to change any configuration on R2
The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.
10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)
Any help would be appreciated, since I have trying different config but no success.
08-19-2024 02:55 AM - edited 08-19-2024 03:14 AM
Interesting, so the access list rule specified only the ip that would be translated to the destination only.
Just curious, can you post your ip nat outside on Gigabit0/0/1 and show ip interface Gigabit0/0/1 to verify?
I will try this one on the next Sunday, and let you know the result.
08-22-2024 01:54 AM
Dear @penguinunix ,
Will send the update soon if time permits me, as the virtual lab I created is inaccessible due to power outage (sad.. I left the eve-ng nodes running..) : D
HtH
08-22-2024 02:51 AM
Ouch that sad, hope that you can recover the configuration.
08-19-2024 02:22 PM
Hello
@penguinunix wrote:
@bbb bbb has simulated this on lab with interesting result. Will try the solution and see the result on the next Sunday.
As per the last vCFG i posted, you should have deleted both SASE and PERMIT acls and recreated them, did you do that?
08-19-2024 06:37 PM
Already did that, and still got DEAD/INIT state on the OSPF.
08-21-2024 03:12 AM
Friend again why you
1-not config router-id
2-add deny ospf any any to the INTERNET/INTERNET2 ACL in top
the issue is somehow the NAT change the router-ID and this make issue with R2
MHM
08-21-2024 08:17 PM
As I informed, I have tried
1 setting router id to Low (using ip address on the ospf enabled interface)
2 already did that and get the same result.
08-21-2024 11:38 PM
Second point I see line of deny ospf is after permit traffic l' I clearly suggest add deny ospf in top of acl' dis you do that?
MHM
08-21-2024 11:42 PM
Yes, I have tried all the suggested configuration here, and still OSPF state turn to INIT/DEAD as soon as applying ip nat outside.
08-22-2024 02:05 AM
Share last config of NAT ACL
And I will check how we can deep debug the hello or adj packet
MHM
08-22-2024 02:49 AM
This is the latest NAT ACL applied:
10 deny ip host 10.62.127.1 any
20 deny ospf any any
30 deny gre any any
40 permit ip 10.255.255.0 0.0.0.255 any
50 permit ip 10.255.254.0 0.0.0.255 any
Latest router-id config applied:
router ospf 10
router-id 10.62.1.1
redistribute connected
Trying OSPF priority:
interface GigabitEthernet0/0/1
description P2P_to_RouterGIS
ip address 10.62.1.1 255.255.255.252
ip nat outside
ip ospf priority 0
ip ospf 10 area 0
negotiation auto
end
Trying route-map:
route-map S_ROUTE_MAP permit 10
match ip address S
match interface GigabitEthernet0/0/1
08-22-2024 02:58 AM
debug ip ospf hello <<- run this command before and after NAT apply and check the IP address appear in hello message
share this here if you can
MHM
08-22-2024 11:53 AM
Hello @penguinunix ,
according to the IOS XE config guide you should deny the IP address of the interface where you put ip nat outside so your first line should be:
10 deny ip host 10.62.1.1 any
if it is just an error of typing ignore this comment . OSPF hello packets and OSPF packets are sourced by the IP address on the interface.
Hope to help
Giuseppe
08-22-2024 03:12 PM - edited 08-23-2024 12:32 AM
Hello
@Giuseppe Larosa @MHM Cisco World @bbb bbb
TBH i do not think the OP is being clear with the topology, based on what they have already posted, this is quite a simple setup pertaining to NAT
If they have implemented the CFG i ask then to do previously then this should work , I have since TS this with a lab and it works accordingly with no need to exclude any OSPF traffic in any ACL.
Based on what the OP has shared:
The back end from R1<> R2 is pure ospf connection which requires NAT (outside) domain applied advertising the "new" inside global IP (10.62.1.100) for translation via redistribution of static via route-map
The GRE towards RTRx is on the inside nat domain.
The physical interface used for the GRE is also being natted but only for R1s lan subnets, so this should not negate the GRE creation between R1-Rx
As long as the correct ACLs/Route-maps are applied this should work if my understanding is correct ....UNLESS as stated the OP isnt showing the correct topology or any additional features being applied we are not aware of ,as just enabling a nat domain to a ospf interface in this instance should not tear down any ospf adjacency
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide