NAT over OSPF interface (CISCO ROUTER C8500L-8S4X) - Page 2

penguinunix · ‎08-07-2024

Hi,

I just want to know how can I apply ip nat outside on interface with OSPF enabled:

interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!

--------------- OSPF config ---------------

router ospf 10
redistribute connected
redistribute static route-map PERMIT
!

I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:

interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0

+++ ip nat outside
negotiation auto
!

But the OSPF status turn to DEAD.

My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.

Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:

interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!

My Tunnel configuration:

This is my Tunnel Config:

interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!

---------------------------------------

ip route 10.255.255.0 255.255.255.0 Tunnel01

---------------------------------------

IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.

This is the simple diagram that I can give:

INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)

TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |

Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1

NOTE: I have no access to change any configuration on R2

The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

Any help would be appreciated, since I have trying different config but no success.

MHM Cisco World · ‎08-11-2024

Config ospf router-id to be any LO IP.

MHM

Giuseppe Larosa · ‎08-07-2024

Hello @penguinunix ,

actually your scenario calls for something different you have a static route using the p2p GRE tunnel for destination network 10.255.255.0/24 . So actually interface gi1/0/1 is not the right place to apply nat on it.

Do both commands referring to ge1/0/1 are not good for you and they should be removed.

I apologize for having created confusion.

Hope to help

Giuseppe

paul driver · ‎08-08-2024

Hello

@penguinunix wrote:

10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)

So from R2/R3 perspective they should not even be aware of 10.255.255.0/24 subnet as this will be hidden by NAT, what they need to be aware of is 10.62.1.x subnet, this needs to be reachable over the R3 tunnel for this is where the ip packet will be sourced to reach 192.168.10.200.

So based on your topology diagram, you'll need the following applied to R1&R3:

R1
int tun x
description tunnel to R3
ip nat outside

int x/x
description interface facing 10.255.x.x.
ip nat inside

access-list 100 permit ip 10.255.255.0 0.0.0.255 any

ip nat pool NAT 10.62.1.1 10.61.1.1 prefix-length 24
ip nat inside source list 100 pool NAT overload
ip route 192.168.10.200 255.255.255.255 Tunnel x 172.16.20.2

R3
ip route 10.62.1.0 255.255.255.0 Tunnel x 172.16.20.1 tag 1 ( this needs to be advertised to R2 over ospf
route-map TAG
match tag 1

router ospf x
redistribute static subnets route-map TAG

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-08-2024

Hi,

Thanks for the solutions, just need to remind that I have no access to R2, so I'm only can configure R1 router to achieve this scenario.

Will try and let you know as soon as I applied the rule, because I can only try this configuration on Sunday (this is production router so to avoid problem, I can only apply on Sunday).

Regards,

Cahyo

penguinunix · ‎08-11-2024

Tried this, and the same thing happen, the ospf state turned to INIT.

Not sure what is wrong, but running NAT on OSPF enabled interface not working, on mikrotik, you have to disable ospf connection tracking to make things working normally, still figure out how to make it work on cisco routers.

paul driver · ‎08-09-2024

Hello

@penguinunix wrote:Thanks for the solutions, just need to remind that I have no access to R2, so I'm only can configure R1 router to achieve this scenario.

You do not need to touch R2 based on your topology, the nat cfg is applied to R1 and a static route on R3 for the 10.62.x.x pointing towards R1, then for R2 to also beware of that 10.62.x.x you need to advertised that static in ospf from R3 so R2 receives it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-09-2024

I'm assuming that R3 is the Router Tunnel01, CMIIW.

Will try this on Sunday.

paul driver · ‎08-11-2024

Hello
not sure what you are doing here -what interface on R1 has ospf enabled - is it the tiunnel interface connecting to R3 ?
even so it should not drop any peering enabling NAT domains on the tunnel and the lan interface of R1, even appliying a static route on R3 for that 10.62.x.x pointing to R1 then making sure that static is advertised in ospf so R2 see it should not cause ospf to drop unless their is missing information that we are not aware of

Also note - based on your posted topology you should not need any acl to deny any traffic anywhere just to get nat working unless you have nat enabled elsewhere other than R1 tunnel and lan interface?.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

penguinunix · ‎08-11-2024

what interface on R1 has ospf enabled - is it the tiunnel interface connecting to R3 ?

Answer: interface on R1 that has ospf enabled is GigabitEthernet0/0/1 is direct interface to R2

R1:

GigabitEthernet0/0/0 - INTERNET Interface - with ip nat outside and acl for the ip that permitted to access INTERNET

GigabitEthernet0/0/1 - direct interface connecting to R2 with ospf enabled

Tunnel01 - GRE tunnel to cloud server via GigabitEthernet0/0/0.

The problem is, everytime applying ip nat outside on GigabitEthernet0/0/1, using acl or not, the OSPF state turned to INIT.

Router#debug ip ospf adj
OSPF adjacency debugging is on
Router#
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Cannot see ourself in hello from 10.246.9.122, state INIT
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Neighbor change event
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: DR/BDR election
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Elect BDR 0.0.0.0
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Elect DR 192.168.100.1
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: DR: 192.168.100.1 (Id)
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: BDR: none
Router#

GOAL: to perform NAT for ip 10.255.255.0/24 (route via Tunnel01 from the cloud server to R1), so every time it needs to connect to network R2 (OSPF), it will be NAT ed using 10.62.1.1 (the ip which is allowed pass through OSPF network on R2, since 10.255.255.0/24 is not on the permitted list on R2)

Giuseppe Larosa · ‎08-11-2024

Hello @penguinunix ,

I try to recap your thread in this post:

>>

R1:

GigabitEthernet0/0/0 - INTERNET Interface - with ip nat outside and acl for the ip that permitted to access INTERNET

GigabitEthernet0/0/1 - direct interface connecting to R2 with ospf enabled

Tunnel01 - GRE tunnel to cloud server via GigabitEthernet0/0/0.

Now, the subnet to be NATTed is learned via a static route pointing to Tunnel01 from your initial post.

The tunnel01 is a GRE p2p tunnel that is sourced by gi0/0/0.

So the first note is the right L3 interface where to apply the NAT commands should be tunnel01, gi0/0/0 is the physical interface used as source by tunnel01 but it does not see the tunneled traffic. interface gi0/0/1 where OSPF is enabled until the subnet 10.255.255.0/24 is not allowed to be injected in the OSPF domain is out of context.

You already have NAT commands on R1 to allow internet access via gi0/0/0.

So assuming that internal interface(s) have ip nat inside configured and gi0/0/0 has ip nat outside configured.

You should add:

access-list 110 remark NAT remote subnet

access-list 110 permit ip 10.255.255.0 0.0.0.255 10.10.0.0 0.0.255.255

! I do not know what your internal network is the extended ACL allows to specify it as destination in the ACL

interface tunnel01

ip nat outside

exit

in global config

ip nat pool NAT 10.62.1.1 10.62.1.1 prefix-length 24

ip nat outside source list 110 pool NAT overload

note: if the extended ACL is not direcly supported on the NAT command you would need to use a route-map invoking it with a match address comand instead

Hope to help

Giuseppe

penguinunix · ‎08-12-2024

I think you missunderstood the GOAL.

The GOAL is ip 10.255.255.0/24 is "outside" network that need to be able to access 192.168.10.200, the only IP that is permitted to access network behind R2 is 10.62.1.1.

That's why I need to NAT ip 10.255.255.0/24 that is passing through Gigabit0/0/1 (to R2), so every time ip 10.255.255.0/24 accessing ip 192.168.10.200, it will only sees ip 10.62.1.1 accessing to it (not 10.255.255.0/24).

Everytime I tried to apply ip nat outside on Gigabit0/0/1, the OSPF turned to INIT state.

Giuseppe Larosa · ‎08-12-2024

Hello @penguinunix ,

respectfully can we agree that traffic sourced by 10.255.255.0/24 is received on the tunnel01 interface on R1 router ?

For me the right place to put an ip nat outside should be the tunnel interface tunnel01.

I would apply ip nat outside to interface tunnel01.

For NAT to work you would need traffic to make a transition from an ip nat outside interface to an ip nat inside interface.

Do you have any interface configured with ip nat inside on R1 ? You say that you have ip nat outside on R1:gi0/0/0 can you confirm this.

Applying NAT to interface gi0/0/1 can be also a solution but you have noticed that OSPF goes down on it when you apply ip nat commands and this is the main reason for you to open this thread.

The easier change to perfom to fix the nework would be to advertise the static route for 10.255.255.0/24 in OSPF and so avoiding to use NAT.

But you have written you are not allowed to inject the prefix 10.255.255.0/24 in the OSPF routing domain on R1 and that you cannot access R2.

May I ask you if this is a real network or you are doing an exercise for a network academy or similar ?

Hope to help

Giuseppe

penguinunix · ‎08-12-2024

Hi,

I have explain all at my last POST, this is real network, not excercise to network academy nor simulation. Can you please read my last Post so I dont need to clarify again, thank you.

bbb bbb · ‎08-11-2024

Dear @penguinunix

If OSPF is remove, which means it may need to add static route to destination network 192.168.x.x pointing to 10.62.1.2 (R2).

Hopefully NAT to destination still works after that.

HtH : ]

Best regards

penguinunix · ‎08-12-2024

this would be great if OSPF is not mandatory, I will switch to this solution, but apparently, I can't because the network R2 require R1 to run OSPF to distribute their network automatically.