Re: NAT over OSPF interface (CISCO ROUTER C8500L-8S4X) - Page 4

penguinunix · ‎08-07-2024

Hi,

I just want to know how can I apply ip nat outside on interface with OSPF enabled:

interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!

--------------- OSPF config ---------------

router ospf 10
redistribute connected
redistribute static route-map PERMIT
!

I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:

interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0

+++ ip nat outside
negotiation auto
!

But the OSPF status turn to DEAD.

My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.

Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:

interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!

My Tunnel configuration:

This is my Tunnel Config:

interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!

---------------------------------------

ip route 10.255.255.0 255.255.255.0 Tunnel01

---------------------------------------

IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.

This is the simple diagram that I can give:

INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)

TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |

Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1

NOTE: I have no access to change any configuration on R2

The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

Any help would be appreciated, since I have trying different config but no success.

penguinunix · ‎08-19-2024

Interesting, so the access list rule specified only the ip that would be translated to the destination only.

Just curious, can you post your ip nat outside on Gigabit0/0/1 and show ip interface Gigabit0/0/1 to verify?

I will try this one on the next Sunday, and let you know the result.

bbb bbb · ‎08-22-2024

Dear @penguinunix ,

Will send the update soon if time permits me, as the virtual lab I created is inaccessible due to power outage (sad.. I left the eve-ng nodes running..) : D

HtH

penguinunix · ‎08-22-2024

Ouch that sad, hope that you can recover the configuration.

paul driver · ‎08-19-2024

Hello

@penguinunix wrote:
@bbb bbb has simulated this on lab with interesting result. Will try the solution and see the result on the next Sunday.

As per the last vCFG i posted, you should have deleted both SASE and PERMIT acls and recreated them, did you do that?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-19-2024

Already did that, and still got DEAD/INIT state on the OSPF.

MHM Cisco World · ‎08-21-2024

Friend again why you
1-not config router-id

2-add deny ospf any any to the INTERNET/INTERNET2 ACL in top

the issue is somehow the NAT change the router-ID and this make issue with R2

MHM

penguinunix · ‎08-21-2024

As I informed, I have tried

1 setting router id to Low (using ip address on the ospf enabled interface)

2 already did that and get the same result.

MHM Cisco World · ‎08-21-2024

Second point I see line of deny ospf is after permit traffic l' I clearly suggest add deny ospf in top of acl' dis you do that?

MHM

penguinunix · ‎08-21-2024

Yes, I have tried all the suggested configuration here, and still OSPF state turn to INIT/DEAD as soon as applying ip nat outside.

MHM Cisco World · ‎08-22-2024

Share last config of NAT ACL

And I will check how we can deep debug the hello or adj packet

MHM

penguinunix · ‎08-22-2024

This is the latest NAT ACL applied:
10 deny ip host 10.62.127.1 any
20 deny ospf any any
30 deny gre any any
40 permit ip 10.255.255.0 0.0.0.255 any
50 permit ip 10.255.254.0 0.0.0.255 any

Latest router-id config applied:
router ospf 10
router-id 10.62.1.1
redistribute connected

Trying OSPF priority:
interface GigabitEthernet0/0/1
description P2P_to_RouterGIS
ip address 10.62.1.1 255.255.255.252
ip nat outside
ip ospf priority 0
ip ospf 10 area 0
negotiation auto
end

Trying route-map:
route-map S_ROUTE_MAP permit 10
match ip address S
match interface GigabitEthernet0/0/1

MHM Cisco World · ‎08-22-2024

debug ip ospf hello <<- run this command before and after NAT apply and check the IP address appear in hello message
share this here if you can

MHM

Giuseppe Larosa · ‎08-22-2024

Hello @penguinunix ,

according to the IOS XE config guide you should deny the IP address of the interface where you put ip nat outside so your first line should be:

10 deny ip host 10.62.1.1 any

if it is just an error of typing ignore this comment . OSPF hello packets and OSPF packets are sourced by the IP address on the interface.

Hope to help

Giuseppe

paul driver · ‎08-22-2024

Hello
@Giuseppe Larosa @MHM Cisco World @bbb bbb
TBH i do not think the OP is being clear with the topology, based on what they have already posted, this is quite a simple setup pertaining to NAT
If they have implemented the CFG i ask then to do previously then this should work , I have since TS this with a lab and it works accordingly with no need to exclude any OSPF traffic in any ACL.

Based on what the OP has shared:
The back end from R1<> R2 is pure ospf connection which requires NAT (outside) domain applied advertising the "new" inside global IP (10.62.1.100) for translation via redistribution of static via route-map

The GRE towards RTRx is on the inside nat domain.
The physical interface used for the GRE is also being natted but only for R1s lan subnets, so this should not negate the GRE creation between R1-Rx

As long as the correct ACLs/Route-maps are applied this should work if my understanding is correct ....UNLESS as stated the OP isnt showing the correct topology or any additional features being applied we are not aware of ,as just enabling a nat domain to a ospf interface in this instance should not tear down any ospf adjacency

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul