08-07-2024 01:05 AM - edited 08-07-2024 02:55 AM
Hi,
I just want to know how can I apply ip nat outside on interface with OSPF enabled:
interface GigabitEthernet0/0/1
description P2P_to_R2
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
negotiation auto
!
--------------- OSPF config ---------------
router ospf 10
redistribute connected
redistribute static route-map PERMIT
!
I want to perform NAT on interface GigabitEthernet0/0/1 with OSPF enabled on it. Tried this config:
interface GigabitEthernet0/0/1
description P2P_to_RouterX
ip address 10.62.1.1 255.255.255.252
ip ospf 10 area 0
+++ ip nat outside
negotiation auto
!
But the OSPF status turn to DEAD.
My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.
Just for info, I also have ip nat outside enabled for Interface that is connected to INTERNET:
interface GigabitEthernet0/0/0
description to INTERNET
ip flow monitor LOCAL input
ip flow monitor LOCAL output
ip address X.X.X.X 255.255.255.248
ip nat outside
negotiation auto
!
My Tunnel configuration:
This is my Tunnel Config:
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!
---------------------------------------
ip route 10.255.255.0 255.255.255.0 Tunnel01
---------------------------------------
IP 10.255.255.0/24 is from outside network that is routed through the Tunnel01.
This is the simple diagram that I can give:
INTERNET (PUBLIC IP: X.X.X.X) ---------------->| GigabitEthernet0/0/0 Router1 GigabitEthernet0/0/1 | ---> OSPF (R2)
TUNNEL (GRE TUNNEL 10.255.255.0/24) -------->| Tunnel01 Router1 |
Scenario: ALL ACCESS FROM 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1
NOTE: I have no access to change any configuration on R2
The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2 network, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.
10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)
Any help would be appreciated, since I have trying different config but no success.
08-07-2024 01:47 AM
Dear @penguinunix,
""
@penguinunix wrote:My goal is to perform NAT from interface Tunnel that has ip 10.255.255.0/24 need to be translated to 10.62.1.1 when accessing the local IP address on interface with OSPF enabled.
""
How about creating a VLAN sub-interface for network 10.255.255.0/24 (or a separate physical interface or a loopback interface for this network within R1) . Then a static route in R1 for destination to 10.62.x.x subnet will be pointing to G0/0/1. Then from there test and try around the NAT configuration as per your requirement.
please also check this link that might help as reference.
HtH : ]
Best regards,
08-07-2024 02:05 AM
Hi,
This is my Tunnel Config:
interface Tunnel01
description GRE-TUNNEL
ip address 172.16.20.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel destination X.X.Y.Y
!
---------------------------------------
ip route 10.255.255.0 255.255.255.0 Tunnel01
I'm not sure that creating VLAN for Tunnel01 would help, but your solution on creating a loopback interface maybe can help, but in this case, I have no access to change the configuration on the R2 (other OSPF router), so I have to stick with the current OSPF configuration.
Also, the reference to the solution from the link you have sent apparently no longer working, I got Access Denied when visiting link on the Accepted Solution from the link you have sent.
08-07-2024 04:56 AM
Dear @penguinunix ,
Just wondering in the tunnel interface configuration, it is using G0/0/0 as tunnel source.. what if its replaced with G0/0/1?
Best regards
08-07-2024 06:28 AM
Hi,
Tunnel is created over internet connected to other public server address, interface gi0/0/1 is direct interface to other local network with OSPF enabled.
08-07-2024 07:08 AM
Can I see your topolgy please
MHM
08-07-2024 07:13 PM - edited 08-08-2024 06:33 PM
This is the simple topology I can give to you, Tunnel01 via Gigabit0/0/0, the network 10.255.255.0/24 need to access 192.168.10.200, because the only permitted address to access 192.168.10.200 is 10.62.1.1, I need to NAT 10.255.255.0/24 address so the address 10.255.255.0/24 NAT to 10.62.1.1.
10.255.255.0/24 route via Tunnel01 interface from R1.
NOTE: I have no access to R2, and there is not possible to add any configuration on the Tunnel01(Tunnel Server) except to add routing table.
08-09-2024 01:55 AM
I dont see anything wrong'
Did you try use deny in NAT acl?
If Yes and same issue appear pleade share
Debug ip ospf adj
MHM
08-09-2024 06:22 AM
Will try your solution as well, it crossed my mind but haven't applied it before.
08-07-2024 02:15 AM - edited 08-07-2024 02:20 AM
Hello @penguinunix ,
have you created an appropriate ACL to be used with NAT
>> 10.255.255.0/24 to Local IP on the OSPF network need to be translated using ip 10.62.1.1
access-list 10 remark NAT for OSPF network
access-list 10 pemit 10.255.255.0 0.0.0.255
ip nat source inside list 10 interface gi1/0/1 overload
! Edit
reading again your requirements you want to do the opposite 10.255.255.0/24 is on the remote end
you should use this line instead
ip nat ouside source list 10 interface gi1/0/1 overload
You need to flag internal network with ip nat inside.
Edit 2:
the network 10.255.255.0/24 is learned over a GRE p2p tunnel to be honest I don't see any need for NAT here. The tunnel can be used to fix this.
Hope to help
Giuseppe
08-07-2024 02:18 AM - edited 08-07-2024 02:56 AM
Hi, I have applied the same configuration you've sent on your reply:
interface GigabitEthernet0/0/1
description P2P_to_RouterGIS
ip address 10.62.1.1 255.255.255.252
ip nat outside
ip ospf 10 area 0
negotiation auto
!
ip nat inside source list S interface GigabitEthernet0/0/1 overload
ip access-list extended S
10 permit ip 10.255.255.0 0.0.0.255 any
But as soon as I applied ip nat outside on the Gig0/0/1 the OSPF state turned to INIT.
The reason that I want to apply the new configuration since the network 10.255.255.0/24 need to access the local ip on the other R2, I can't change any configuration on the R2, and I need to use the existing IP on the R1 (10.62.1.1) so the network 10.255.255.0/24 can access the local ip over the R2 network.
10.255.255.0/24 is an ip that is not allowed to be distributed over the OSPF network, so it need to be NATed using ip that is allowed (10.62.1.1)
08-07-2024 02:52 AM
Hi @Giuseppe Larosa ,
Reading your edited reply:
ip nat ouside source list 10 interface gi1/0/1 overload
I will try to apply this, I still need the rule ip nat source inside list 10 interface gi1/0/1 overload right?
08-07-2024 03:26 AM
Friend I dont see how NAT effect OSPF but anyway to solve this use
Ip access-list extended ospf
Deny ospf any any <- exclude ospf from NAT acl
Deny gre any any <- exclude gre from NAT acl
Permit ip <subnet> any <<- subnet you want to NATing
Then
Ip nat inside source list ospf interface x/x overload
MHM
08-07-2024 03:34 AM
Will try this and update soon
08-11-2024 01:26 AM
Tried today:
sh ip access-lists S
Extended IP access list S
10 permit ip 10.255.254.0 0.0.0.255 any
20 permit ip 10.255.255.0 0.0.0.255 any
30 deny ospf any any
40 deny gre any any
50 permit ip any any
ip nat inside source list S interface GigabitEthernet0/0/1 overload
ip nat outside (on Gi0/0/1)
When applied IP NAT Outside on GI0/0/1 OSPF state become INIT
Here's log debug on ospf interface:
Router#debug ip ospf adj
OSPF adjacency debugging is on
Router#
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Cannot see ourself in hello from 10.246.9.122, state INIT
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Neighbor change event
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: DR/BDR election
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Elect BDR 0.0.0.0
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: Elect DR 192.168.100.1
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: DR: 192.168.100.1 (Id)
*Aug 11 08:07:46.902: OSPF-10 ADJ Gi0/0/1: BDR: none
Router#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide