Non-working NAT on Catalyst 9410R

kz-support · ‎07-26-2024

Hello

We have a problem with NAT translation on the Catalyst 9410R (IOS-XE 17.6.4) - NAT not working but pings do.

Part of config is below:

ip nat inside source list 1 interface Vlan1111 vrf MMM overload

interface Vlan1111

ip vrf forwarding MMM

ip address dhcp

ip nat outside

interface Vlan666

description *** MMM ***

ip vrf forwarding MMM

ip address 172.25.0.1 255.255.255.0

ip nat inside

Standard IP access list 1

10 permit 172.25.0.0, wildcard bits 0.0.0.255 (19072 matches)

We tryed to configure static IP on the outside interface, but problem remains the same.

===========================================================================

Jul 10 14:58:26.255 MSK: NAT: New Inside Entry: couldn't allocate port 50353 for 172.16.20.72 Protocol: 17

Jul 10 14:58:26.255 MSK: NAT: translation failed (A), dropping packet s=172.25.4.77 d=185.128.196.254

Jul 10 14:58:26.255 MSK: NAT: New Inside Entry: couldn't allocate port 49165 for 172.16.20.72 Protocol: 17

Jul 10 14:58:26.255 MSK: NAT: translation failed (A), dropping packet s=172.25.4.77 d=185.128.196.254

Jul 10 14:58:26.350 MSK: NAT: New Inside Entry: couldn't allocate port 50935 for 172.16.20.72 Protocol: 17

Jul 10 14:58:26.350 MSK: NAT: translation failed (A), dropping packet s=172.25.4.11 d=8.8.8.8

Jul 10 14:58:27.105 MSK: NAT: New Inside Entry: couldn't allocate port 51554 for 172.16.20.72 Protocol: 17

Jul 10 14:58:27.105 MSK: NAT: translation failed (A), dropping packet s=172.25.4.143 d=8.8.8.8

Jul 10 14:58:27.186 MSK: NAT: New Inside Entry: couldn't allocate port 56192 for 172.16.20.72 Protocol: 17

paul driver · ‎07-26-2024

Hello
Can you elaborate a little on the current topology, inter-vrf nat on XE can also be accomplished using VASI network translation depending if those 9400s support it.

When you sate static routing, is this within the VRF rib towards the global route table (GRT), Maybe post a diagram on your current setup?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎07-26-2024

Add to your NAT

Match-in-vrf

And check again

MHM

kz-support · ‎07-26-2024

there's no such option

MHM Cisco World · ‎07-26-2024

ip nat inside source list access-list-number pool pool-name [vrf vrf-name [match-in-vrf]] <<- this only for ASR run IOS XE not for car9K

MHM

MHM Cisco World · ‎07-26-2024

VRF-aware NAT supports only VRF to Global translation of IP addresses. VRF to Global translation is between a NAT inside interface that is associated with a specific VRF and a NAT outside interface that is associated with the global VRF. Intra-VRF NAT translation (which involves the NAT-inside and NAT-outside interfaces of the same specific VRF) and Inter-VRF NAT translation (which involves NAT-inside and NAT-outside interfaces that are associated with different VRFs) are not formally supported. NAT behavior is undefined in such unsupported scenarios. We recommend that you deploy only the VRF to Global NAT translation in your network.

it not support in cat9000 platform

sorry for this bad news

you need to change one side to global to work

MHM

paul driver · ‎07-26-2024

Hello

@kz-support wrote:

Hello

Post a topology diagram and maybe the run cfg of the rtr please

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giuseppe Larosa · ‎07-26-2024

Hello @kz-support ,

given your ACL definition :

>>

Standard IP access list 1

10 permit 172.25.0.0, wildcard bits 0.0.0.255 (19072 matches)

your interface Vlan 666

configuration

>> ip address 172.25.0.1 255.255.255.0

in the logs we see that the source IP address is out of 172.25.0.0/24

>> Jul 10 14:58:26.255 MSK: NAT: translation failed (A), dropping packet s=172.25.4.77 d=185.128.196.254

if you have other subnets downstream the switch that need to be NATTed you have to change your ACL 1 used in the NAT to accomodate for their translation to happen.

Hope to help

Giuseppe