cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3986
Views
5
Helpful
18
Replies

nat overload on interface of Router

Amafsha1
Level 2
Level 2

EDIT:  I was using IOSvL2 on CML2 and NAT does not work so I just changed it to IOSv and it worked right away.  

 

 

 

 

Hello folks,

 

I have setup a simple topology in CML2 lab with 3 nodes.

 

inside--->FW---static route--->RTR1---BGP--->RTR2

 

The inside uses the FW as default GW, then firewall has static route to RTR1 edge router, then edge router RTR2 is the ISP that gives us a default route.

 

So all the routing works, but I'm having an issue with NAT on the edge router RTR1. I want all traffic that comes in with source address of firewall outside interface to be NAT'd to overload NAT to outside interface of Edge RTR1.

 

So ASA firewall outside interface ip is 172.28.28.100, I put a NAT statement on the ASA firewall:

ASA# nat (inside,outside) dynamic interface

So anything that that leaves the firewall, will automatically get NAT'd to outside interface of FW and I have verified this part works by checking pcaps and seeing that it does indeed NAT all the traffic to firewall outside interface when coming from the inside and going to RTR1

 

Next up,

 

I put the following configs in for RTR1 NAT

 

RTR1#

access-list 100 permit ip 172.28.28.100 

ip nat inside source list 100 interface g0/1 overload

 

 

g0/0 is inside interface to goes to firewall (ip nat inside)

g0/1 is outside interface that goes to RTR2 (ip nat outside)

 

I do "sho ip nat trans" and I see nothing.  The traffic never gets NAT'd..  I don't know what else to do..

18 Replies 18

Hello,

 

in theory, your setup should work. Can you post the full running configuration (show run) from R1 ?

 
RTR1#
!
!
interface GigabitEthernet0/0
 description to FW and RTR2
 no switchport
ip nat inside ip address 172.28.28.128 255.255.255.0 negotiation auto ! interface GigabitEthernet0/1 no switchport ip address 63.1.1.234 255.255.255.248 no negotiation auto
ip nat outside ! interface GigabitEthernet0/2 no switchport ip address 209.1.1.68 255.255.255.240 no negotiation auto ! interface GigabitEthernet0/3 negotiation auto ! router bgp 10 bgp log-neighbor-changes network 63.1.13.16 mask 255.255.255.248 network 64.1.16.112 mask 255.255.255.248 network 192.1.1.0 neighbor local peer-group neighbor local remote-as 10 neighbor local description Local peer-group neighbor local version 4 neighbor local timers 10 30 neighbor local next-hop-self neighbor local send-community neighbor isp1 peer-group neighbor isp1 remote-as 209 neighbor isp1 description isp1 peer-group neighbor isp1 version 4 neighbor isp1 timers 20 60 neighbor isp1 send-community neighbor isp1 prefix-list default-route in neighbor isp1 route-map isp1_pref_in in neighbor isp1 route-map isp1_pref_out out neighbor isp2 peer-group neighbor isp2 remote-as 7385 neighbor isp2 description isp2 peer-group neighbor isp2 version 4 neighbor isp2 timers 10 30 neighbor isp2 send-community neighbor isp2 prefix-list default-route in neighbor isp2 route-map isp2_backup_out out neighbor 63.1.1.233 peer-group isp1-se neighbor 63.1.1.233 description isp1-se-pe neighbor 63.1.1.233 soft-reconfiguration inbound neighbor 172.28.28.129 peer-group local neighbor 172.28.28.129 description RTR2 neighbor 172.28.28.129 soft-reconfiguration inbound neighbor 209.1.1.65 peer-group isp2-se neighbor 209.1.1.65 description isp2-pe1 ! ip nat inside source list 100 interface GigabitEthernet0/1 overload ip forward-protocol nd ! ip bgp-community new-format ip http server ip http secure-server ! ip route 192.1.1.0 255.255.255.0 172.28.28.100 access-list 100 permit 172.28.28.100 ! ! ip prefix-list isp1_29_B seq 5 permit 63.1.13.16/29 ! ip prefix-list default-route seq 10 permit 0.0.0.0/0 ! ip prefix-list deny-all seq 5 deny 0.0.0.0/0 le 32 ! ip prefix-list isp2_29_B seq 5 permit 64.1.16.112/29 ! ip prefix-list w_24 seq 5 permit 192.1.1.0/24 ! ! ! route-map isp2_backup_out permit 10 match ip address prefix-list w_24 set as-path prepend 10 10 ! route-map isp1_pref_in permit 10 match ip address prefix-list default-route set local-preference 200 ! route-map isp1_backup_out permit 10 match ip address prefix-list w_24 set community 209:70 ! route-map isp1-nat permit 10 match interface GigabitEthernet0/1 ! route-map isp2-nat permit 10 match interface GigabitEthernet0/2 ! route-map isp2_preferred_out permit 10 match ip address prefix-list w_24 set community 7385:110 ! route-map isp2_preferred_out permit 20 match ip address prefix-list isp2_29_B ! route-map isp1_preferred_out permit 10 match ip address prefix-list w_24 set as-path prepend 10 10 ! route-map isp1_preferred_out permit 20 match ip address prefix-list isp1_29_B set community 209:999 ! ! ! control-plane

There might be extra junk in there, but there is a little more to the topology than I originally mentioned.  There is also an iBGP peering internally to RTR2 that is on the same network as FW outside network 172.28.28.0/24 and also 1 more peering to ISP2.  I don't think these things should effect the NAT on RTR1, but I'm telling you just in case..

Hi @Amafsha1,

Open a session to both RTR1 and RTR2 simultaneously. Arrange the session windows side by side.

While traffic is ongoing (let's say a ping test), gather show ip nat translations from both Routers.

Do you see in that output the NAT translations on any of the Routers?

To dig even deeper, run debug ip nat on both of your Routers while that traffic is still ongoing.

 

You can expect from outputs (these are different IP addresses of course): 

router-19# show ip nat translation
Pro  Inside global Inside local Outside local Outside global
icmp 10.2.2.2:3    10.1.1.1:3   10.2.2.3:3    10.2.2.3:3
icmp 10.2.2.2:4    10.1.1.1:4   10.2.2.3:4    10.2.2.3:4
icmp 10.2.2.2:5    10.1.1.1:5   10.2.2.3:5    10.2.2.3:5

router-6# debug ip nat
router-6# show log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 39 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 39 messages logged Trap logging: level informational, 33 message lines logged Log Buffer (4096 bytes): 05:32:23: NAT: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [70] 05:32:23: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [70] 05:32:25: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [71] 05:32:25: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [71] 05:32:27: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [72] 05:32:27: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [72] 05:32:29: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [73] 05:32:29: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [73] 05:32:31: NAT*: s=10.10.50.4->172.16.11.70, d=172.16.11.7 [74] 05:32:31: NAT*: s=172.16.11.7, d=172.16.11.70->10.10.50.4 [74]

A good resource:

Verifying NAT Operation and Basic NAT Troubleshooting

 

PS: I understand this is a lab environment and not production. It is always advised to proceed with caution when running debugs on production devices.

 

HTHs

I did a ping test and I can see that RTR1 is sending to RTR2 on the same IP as the FW outside interface, so it is not natting on the RTR1.  Debug ip nat shows nothing.  Show ip nat trans shows nothing as well.  I'm sure at this point this is a bug in CML2

Hello,

 

make the changes marked in bold:

 

RTR1#
!
interface GigabitEthernet0/0
description to FW and RTR2
no switchport
ip nat inside
ip address 172.28.28.128 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/1
no switchport
ip address 63.1.1.234 255.255.255.248
no negotiation auto
ip nat outside
!
interface GigabitEthernet0/2
no switchport
ip address 209.1.1.68 255.255.255.240
no negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
router bgp 10
bgp log-neighbor-changes
network 63.1.13.16 mask 255.255.255.248
network 64.1.16.112 mask 255.255.255.248
network 192.1.1.0
neighbor local peer-group
neighbor local remote-as 10
neighbor local description Local peer-group
neighbor local version 4
neighbor local timers 10 30
neighbor local next-hop-self
neighbor local send-community
neighbor isp1 peer-group
neighbor isp1 remote-as 209
neighbor isp1 description isp1 peer-group
neighbor isp1 version 4
neighbor isp1 timers 20 60
neighbor isp1 send-community
neighbor isp1 prefix-list default-route in
neighbor isp1 route-map isp1_pref_in in
neighbor isp1 route-map isp1_pref_out out
neighbor isp2 peer-group
neighbor isp2 remote-as 7385
neighbor isp2 description isp2 peer-group
neighbor isp2 version 4
neighbor isp2 timers 10 30
neighbor isp2 send-community
neighbor isp2 prefix-list default-route in
neighbor isp2 route-map isp2_backup_out out
neighbor 63.1.1.233 peer-group isp1-se
neighbor 63.1.1.233 description isp1-se-pe
neighbor 63.1.1.233 soft-reconfiguration inbound
neighbor 172.28.28.129 peer-group local
neighbor 172.28.28.129 description RTR2
neighbor 172.28.28.129 soft-reconfiguration inbound
neighbor 209.1.1.65 peer-group isp2-se
neighbor 209.1.1.65 description isp2-pe1
!
--> ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip forward-protocol nd
!
ip bgp-community new-format
ip http server
ip http secure-server
!
ip route 192.1.1.0 255.255.255.0 172.28.28.100

--> access-list 1 permit 172.28.28.0 0.0.0.255
!
ip prefix-list isp1_29_B seq 5 permit 63.1.13.16/29
!
ip prefix-list default-route seq 10 permit 0.0.0.0/0
!
ip prefix-list deny-all seq 5 deny 0.0.0.0/0 le 32
!
ip prefix-list isp2_29_B seq 5 permit 64.1.16.112/29
!
ip prefix-list w_24 seq 5 permit 192.1.1.0/24
!
route-map isp2_backup_out permit 10
match ip address prefix-list w_24
set as-path prepend 10 10
!
route-map isp1_pref_in permit 10
match ip address prefix-list default-route
set local-preference 200
!
route-map isp1_backup_out permit 10
match ip address prefix-list w_24
set community 209:70
!
route-map isp1-nat permit 10
match interface GigabitEthernet0/1
!
route-map isp2-nat permit 10
match interface GigabitEthernet0/2
!
route-map isp2_preferred_out permit 10
match ip address prefix-list w_24
set community 7385:110
!
route-map isp2_preferred_out permit 20
match ip address prefix-list isp2_29_B
!
route-map isp1_preferred_out permit 10
match ip address prefix-list w_24
set as-path prepend 10 10
!
route-map isp1_preferred_out permit 20
match ip address prefix-list isp1_29_B
set community 209:999
!
control-plane

Hello

Basically you are double natting from fw to rtr1 to rtr2?

But it looks like your natting on the wrong host address, this address shouldn't be 172.28.28.100 it should be the rtr1 lan facing ip address subnet not the fw specific outside ip address, Change your acl for to acommodate the fw outside/rtr1 inside subnet and test again.

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

i just pasted in the correct configs.  I had to go back and edit the configs again.  Can you tell me if that's still the case?

 

The packets are coming into RTR1 with source address of 172.28.28.100

so are you saying, my config should look like this:

 

 

access-list 100 permit 172.28.28.0 0.0.0.255 log

ip nat inside source list 100 interface GigabitEthernet0/1 overload

Hello

Possible but without any logging appended as NAT doesn't like it, What is the whole ip address is of you rtr 1 inside interface.
If it is a /24 subnet then yes the acl is okay (part from the log) if it isnt the acl need to relate to rtr1 inside interface subnet address. 

 

example:
access-list 100 permit ip 172.28.28.0 0.0.0.255 any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ip nat inside source list 100 interface GigabitEthernet0/1 overload
access-list 100 permit ip 172.28.28.0 0.0.0.255 any

 

 

 

still nothing, I'm starting to think this is a bug in CML2 lab

Hello

So your using VIRL ver2.0 ? -  TBH I would say in all honestly it could may well be, I have had nothing but trouble since migrating on this this version, features not working unexpected testing results, I getting to a stage of having no confidence as proof of concept simulation software.

 

In anycase your issue may not be virl if you are using this but i defiantly would not rule it out.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yes I agree on that.  

 

I have posted above in the post, my whole running config of RTR1

 

I paid $200 for CML2

Hello

What rtr vm are you using IOSv or csr1000v?

 

To confirm also - Are you initiating traffic from the FW ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I'm using IOSvL2

 

I'm initiating traffic from behind the Firewall(inside). 

That traffic is being NAT'd at the firewall to the firewall outside interface...so it's coming into RTR1 with source address of 172.28.28.100

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco