Solved: NATTING

virendra pathak · ‎11-13-2023

Dear Expert,

I have created LAB in eve ng and the same design is attached herewith.

I have done all configuration with using MPLS WAN solution on design.

Private NW is done successfully and now i wanted to allow all DC Server, HQ Users and Branch user can access INTERNET without using routing because Priavet NW can not advertise on INTERNET WORLS then NATTING is option remain, And here is query to that how i should allow to all users to access INTERNETW with using solution NATTING.

Could you please view design and suggest me accordingly.

HQ Users LAN range is 10.22.2.0/24. 10.22.4.0/24 CAN ACCESS internet

DC Subnet range is 172.16.111.0/24, 172.16.112.0/24 CAN ACCESS internet

BR users range : 10.22.22.0/24, 10.22.23.0/24 CAN ACCESS internet

The prompt response would be highly appreciated.

Thanks a lot

Regards

Virendra P

virendra pathak · ‎11-14-2023

Dear MHM,

I am happy now and Thanks a ton. Once more Your support is really helped me a lot now. My next goal is to do GRE tunnel, mGRE tunnel and DMVPN, IPSECDMVPN.

Hoping this design will help me to achieve my task. It is really honoured to meet Cisco TECH Expert.

regards

Virendra P

View solution in original post

virendra pathak · ‎11-13-2023

Dear Expert,

Can anyone suggest on my query ?

regards

Virendra P

DanielP211 · ‎11-13-2023

Hello Virenda,

Do you need configuration suggestions? Which devices do you have?

A simple config would be as follows:

# Access Control List (ACL) to identify traffic to be translated
ip access-list extended NAT_ACL
  permit ip 10.22.2.0 0.0.0.255 any
  permit ip 10.22.4.0 0.0.0.255 any

# Define the translation pool
ip nat pool NAT_POOL OUTSIDE-IP OUTSIDE-IP netmask 255.255.255.0

# Apply NAT to the outbound interface
interface OUT-INT
  ip nat outside

# Apply NAT to the inbound interface
interface INSIDE-INT
  ip nat inside

# Apply the ACL and translation to the outbound interface
ip nat inside source list NAT_ACL pool NAT_POOL overload

BR

****Kindly rate all useful posts*****

virendra pathak · ‎11-13-2023

Great Daniel,

Why i am confuse ? If you see attached topology where i have separated INTERNET network but it is connected to Layer 3 SW which 22 and SW23, INTERNET LAN pool address is 102.1.1.0/24, On both INTERNET router 35 and 36 configured with HSRP and on each router have DUAL MULTIHOMES NETWORK and BGP is being used.

On both Internet router, INSIDE interface configured with PUBLIC POOL IP ADDRESS AND PUBLINC WAN IP CONFIGURED.

As you suggested, i can still use the NAT to meet the goal to access internet.

Thanks a lot for your help.

regards

Virendra P

DanielP211 · ‎11-13-2023

Hello!

Sorry, I didn't see topology attached. As far as I can gather from your description NAT would be the correct way to go and it should be configured on the routers R35 and R36 to access internet.

BR

BR

****Kindly rate all useful posts*****

virendra pathak · ‎11-13-2023

Hello Daniel,

This is CONFIGURATION details are herewith :

CUSINTRTR2#sh running-config int e0/3.10
Building configuration...

Current configuration : 187 bytes
!
interface Ethernet0/3.10
description PUBLIC POOL LAN
encapsulation dot1Q 10
ip address 102.1.1.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 10 ip 102.1.1.1
end

CUSINTRTR2#sh running-config int e0/2
Building configuration...

Current configuration : 145 bytes
!
interface Ethernet0/2
description PUBWANPOOL
ip address 35.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
end

CUSINTRTR2#sh running-config int e0/0
Building configuration...

Current configuration : 145 bytes
!
interface Ethernet0/0
description PUBWANPOOL
ip address 35.1.1.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
end

CUSINTRTR2#sh ru
CUSINTRTR2#sh run
CUSINTRTR2#sh running-config | sec acc
access-list 101 permit ip 10.22.0.0 0.0.255.255 any
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
CUSINTRTR2#sh running-config | sec nat
ip nat outside
ip nat inside
ip nat outside
ip nat outside
ip nat inside
ip nat inside source list 101 pool 101 overload
nat64 v4 pool 101 102.1.1.0 102.1.1.255

virendra pathak · ‎11-13-2023

MHM Cisco World · ‎11-13-2023

You need traffic hairpin from mpls to internet?

If yes including all branch subnet in NAT acl.

Note:- make mpls interface as ip nat inside

That it

virendra pathak · ‎11-13-2023

Hello MHM,

Thanks for your response but i would like to tell you that i took range of 10.22.0.0/16 which SUBNET RANGE OF BRANCHES PLUS HQ and other side, i took SUBNET RANGE OF DC which 172.16.0.0/16 .

I hope, you can view my attached topology, can you explain me now and how shall i achieve it without doing routing BECAUSE I DO NOT WANT TO ADD PUBLIC IP ADDRESS INTO CUSTOMER MPLS SETUP.

regards

Virendra P

MHM Cisco World · ‎11-14-2023

No need DC connect to BR via mpls' make DC inject defualt route to all BR

The traffic to any public IP will flow via mpls to DC then from DC to internet after NATing

virendra pathak · ‎11-14-2023

Dear MHM,

Please find my ISPPE2 configuration :


ISPPE2#
ISPPE2#sh run
ISPPE2#sh running-config | sec ospf
router ospf 135 vrf sbi
redistribute bgp 1000 metric 1 subnets
network 172.16.1.8 0.0.0.3 area 1
network 172.16.1.16 0.0.0.3 area 1
network 172.16.1.20 0.0.0.3 area 1
network 172.16.1.28 0.0.0.3 area 1
router ospf 1
router-id 2.2.2.2
network 2.2.2.2 0.0.0.0 area 0
network 13.1.1.4 0.0.0.3 area 0
redistribute ospf 135 metric 1 match internal external 1 external 2
ISPPE2#sh running-config | sec bgp
redistribute bgp 1000 metric 1 subnets
router bgp 1000
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1000
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 1000
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf sbi
redistribute ospf 135 metric 1 match internal external 1 external 2
exit-address-family
ISPPE2#

AND DCECE RTR15

DCCE1#sh running-config int ser1/0
Building configuration...

Current configuration : 91 bytes
!
interface Serial1/0
ip address 172.16.1.26 255.255.255.252
serial restart-delay 0
end

DCCE1#sh running-config int e0/2
Building configuration...

Current configuration : 82 bytes
!
interface Ethernet0/2
ip address 172.16.1.22 255.255.255.252
duplex auto
end

DCCE1#sh running-config | sec ospf
router ospf 135
router-id 110.1.1.3
redistribute static subnets
network 172.16.1.20 0.0.0.3 area 1
network 172.16.1.24 0.0.0.3 area 1
network 172.16.110.0 0.0.0.255 area 1
DCCE1#sh ip os ne

Neighbor ID Pri State Dead Time Address Interface
110.1.1.14 1 FULL/DR 00:00:33 172.16.110.3 Ethernet0/0.110
172.16.1.37 0 FULL/ - 00:00:31 172.16.1.25 Serial1/0
172.16.1.29 1 FULL/DR 00:00:38 172.16.1.21 Ethernet0/2
DCCE1#

Where and what i suppose to do ? Your way is very difficult me to understand and WHY we inject default route on CE router towards all BR where CUS is happy with using OSPF with MPLS WAN setup.

Please help me to understand this.

regards

Virendra P

MHM Cisco World · ‎11-14-2023

router ospf 135

(this ospf connect CE to PE which must in vrf sbi in ISP)

Under this opsf process in DC

Defualt information originate

This make DC ospf inject defualt to all CE (br) and make it use DC to send traffic to public.

virendra pathak · ‎11-14-2023

Dear MHM,

I understood the OSPF VRF SBI configuration part where i am confuse that what to use DC send to traffic to public

ISPPE2#sh running-config | sec ospf
router ospf 135 vrf sbi
redistribute bgp 1000 metric 1 subnets
network 172.16.1.8 0.0.0.3 area 1
network 172.16.1.16 0.0.0.3 area 1
network 172.16.1.20 0.0.0.3 area 1
network 172.16.1.28 0.0.0.3 area 1
default-information originate always Do i need to allow on all PE routers.

MHM Cisco World · ‎11-14-2023

red lines is the traffic from branch to DC ?
in DC OSPF you need to inject default information toward MPLS SP.
which step you confused about

virendra pathak · ‎11-14-2023

Dear MHM,

Thanks for your detail explanation, Just need your more valuable time to make me clear this configuration.

I advertised the as you suggested into DC CE OSPS and when i checked all BRNCH OSPs routing table which has below output

CUSBRRTR1#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 172.16.1.2 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 172.16.1.2, 00:11:29, Serial1/0  THIS IS TRIGGED IN OSPF DATABASE.

Do i need to do NATTING  on INTERNET router 35 and 36 ? If yes then which NATTING required to do achieve the goal.

regards

Virendra P