One to one NAT via BGP

TylerLuce6545 · ‎06-05-2019

I have a Cisco 1921 Router. This router is a Transit router between my internal network and a clients network. I have a BGP partnership on both sides. My network is on GE 0/0 and my clients network is on GE 0/1.

I need a 1 to 1 NAT across this router into my clients network. On my internal side I have local IP of 192.168.90.11. I need to NAT that IP to a Public IP of 100.XXX.XXX.XXX. The BGP partnership is up. But I am not advertising my NAT address of 100.XXX.XXX.XXX to my client. Thus I cannot enter past his router, as he is only allowing that NAT IP address. Below is my current config. Any help is greatly appreciated!

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.20.30.42 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex full
speed 100
!
interface GigabitEthernet0/1
description MPLS SiriusXM
ip address 10.255.90.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
!
router bgp 64517
bgp router-id 10.255.90.1
bgp log-neighbor-changes
neighbor 10.20.30.41 remote-as 65500
neighbor 10.255.90.2 remote-as 64536
!
address-family ipv4
network 10.20.30.40 mask 255.255.255.252
network 10.255.90.0 mask 255.255.255.252
network 100.XXX.XXX.XXX mask 255.255.255.255
network 172.65.84.0 mask 255.255.255.252
network 192.168.90.11 mask 255.255.255.255
redistribute connected
neighbor 10.20.30.41 activate
neighbor 10.255.90.2 activate
neighbor 10.255.90.2 soft-reconfiguration inbound
exit-address-family
!
ip default-gateway 10.255.90.2
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 192.168.90.11 100.XXX.XXX.XXX
ip nat outside source static 100.XXX.XXX.XXX 192.168.90.11

Hector Gustavo Serrano Gutierrez · ‎06-05-2019

Do you have that 100.XXX.XXX.XXX/32 in your Routing Table so BGP can advertise it?
Run ‘show ip route 100.XXX.XXX.XXX 255.255.255.255’.
If you do not have it, create a static route pointing to null0 like ‘ip route 100.XXX.XXX.XXX 255.255.255.255 null0’ or a loopback with that exact IP & MASK.
Cheers.

Giuseppe Larosa · ‎06-05-2019

Hello Tyler,

the 100.xxx.xxx.xxx/32 has to be in the IP routing table for BGP to advertise it.

use a loopback interface like:

conf t

interface loopback 100

ip address 100.xxx.xxx.xxx.xxx 255.255.255.255

description Public IP address

!

Being a /32 host route a static route to Null0 is less preferred

Hope to help

Giuseppe

TylerLuce6545 · ‎06-05-2019

Thank you both for the quick response.
This router will only ever have this one job. So I'm ok with using null0 at this time. I have configured null0 as the route on the router, but I'm still getting blocked at the client router. Here is my interface / BGP details:

#show ip route 100.xxx.xxx.xxx 255.255.255.255
Routing entry for 100.xxx.xxx.xxx/32
Known via "static", distance 1, metric 0 (connected)
Advertised by bgp 64517
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

Looking in the BGP routing table I'm able to find:
100.xxx.xxx.xxx/32 0.0.0.0 0 32768 i

Still not sure if the issue is on my end or his end at this point in time.

Hector Gustavo Serrano Gutierrez · ‎06-05-2019

I'd like to help you and I need more details for that.

- How are you testing?

- Is it with a traceroute?

- Are you originating this traceroute from 192.168.90.11?

- What IP are you trying to traceroute to?

TylerLuce6545 · ‎06-05-2019

Via Traceroute

Trace route does originate from 192.168.90.11

Tracing route to 209.196.210.224 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.90.1
2 <1 ms <1 ms <1 ms 10.20.30.42
3 <1 ms <1 ms <1 ms 10.255.90.2
4 * * * Request timed out.
5 * * * Request timed out.

The IP i'm trying to reach is one of 210 different Subnets on his end.

Hector Gustavo Serrano Gutierrez · ‎06-05-2019

Could you please remove ip nat outside source static 100.XXX.XXX.XXX 192.168.90.11?

Now, when doing the traceroute again, capture its result and the output of show ip nat translations | include 192.168.90.11|Pro from the Router.

Regards.

TylerLuce6545 · ‎06-06-2019

Hello Hector, Please see below for output:

#show ip nat translations | include 192.168.90.11 | pro
--- 100.xxx.xxx.xxx 192.168.90.11 --- ---

TylerLuce6545 · ‎06-06-2019

When I add the NAT outside back into the config I get the following output:

#show ip nat translations | include 192.168.90.11 | pro
--- --- --- 192.168.90.11 100.xxx.xxx.xxx
--- 100.xxx.xxx.xxx 192.168.90.11 --- ---

Hector Gustavo Serrano Gutierrez · ‎06-06-2019

Hi @TylerLuce6545,

1. Is 209.196.210.224 the exact IP address you are trying to reach as seen in your last traceroute output?

The last traceroute shared looks good all the way to the ISP and we see it die after your Router (ISP is the last reply we receive)

Let's make sure that NAT translations are happening.

2. Capture the traceroute output and at the same time the complete output of show ip nat translations | include 192.168.90.11|Pro from the Router which should show additional translations being created just after you execute the traceroute.

You can sanitize your IP addresses.

With traffic generated from a host behind you ip nat inside, you do not need that ip nat outside source static 100.XXX.XXX.XXX 192.168.90.11

You can use the ip nat outside source static when you are also looking to translate the destination IP before and after the traffic passes through the Router.

Cheers.

TylerLuce6545 · ‎06-06-2019

1. Yes that is one of a few different address i'm trying to reach, but as long as we hit this one, the rest should follow suit. No ISP is involved with this connection, it's all private to private peering. The last hop on the trace route is my clients edge router - 10.255.90.2. He is only allowing NAT IP of 100.XXX.XXX.XXX, to enter his environment. I only have one device that needs to enter his Environment - 192.168.90.11, but I must mask my address of 192.168.90.11 to a public address as to not cause an IP conflict on his end. Also, when any device on his end needs to talk to my device, they will contacting that 100.xxx.xxx.xxx public IP.

2. I have not yet removed the NAT outside at this time, but here is the output your looking for:

C:\Users\Administrator>tracert 209.196.210.224

Tracing route to 209.196.210.224 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.90.1
2 <1 ms <1 ms <1 ms 10.20.30.42
3 <1 ms <1 ms <1 ms 10.255.90.2
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

#show ip nat translations | include 192.168.90.11|Pro
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.90.11 100.xxx.xxx.xxx
--- 100.xxx.xxx.xxx 192.168.90.11 --- ---

Hector Gustavo Serrano Gutierrez · ‎06-06-2019

Thank you @TylerLuce6545,

Take into consideration that when you start the traceroute (or any traffic) from 192.168.90.11 to reach 209.196.210.224, your client (when receives such traffic) will see the traffic as follows:

IP_SRC: 100.XXX.XXX.XXX

IP_DST: 209.196.210.224

Advertising 100.XXX.XXX.XXX via BGP to your client is perfectly fine but that does not guarantee that your client is redistributing (or similar) that 100.XXX.XXX.XXX into the rest of his network. Your client's network must know how to reach 100.XXX.XXX.XXX which is back to you in order to send traffic or reply to you.

When your customer wants to originate traffic to your 192.168.90.11, he should target 100.XXX.XXX.XXX.

Now, you do not need ip nat outside source static 100.XXX.XXX.XXX 192.168.90.11 for that.

Perhaps you think you need it to allow your customer to communicate with you but that is not accurate.

All you need is ip nat inside source static 192.168.90.11 100.XXX.XXX.XXX

Finally, why you have network 192.168.90.11 mask 255.255.255.255 under BGP configuration? Do you really need to advertise 192.168.90.11/32 to your client? I believe you are probably not advertising it unless show ip route 192.168.90.11 255.255.255.255 shows the exact /32 in its output and show ip bgp shows the 192.168.90.11/32 in the BGP table.

I think the Router is translating (NATting) correctly, because:

a) Traceroute shows 10.255.90.2 as the last hop.

and

b) You are not really advertising 192.168.90.11/32 via BGP to your client and still the traceroute you shared shows 10.255.90.2 replies to you.

In that scenario, you are all good here but your client needs to make sure that their Routing infrastructure knows how to reach 100.XXX.XXX.XXX which is back to your Router.

Please let me know if you have any concerns.

Cheers.

Georg Pauwen · ‎06-05-2019

Hello,

where on the inside is 192.168.90.11 ? I do not see that subnet/host anywhere in the configuration you have posted ?

TylerLuce6545 · ‎06-05-2019

The router is learning 192.168.90.0/24 from GE 0/0 via BGP. That is on my end.

#show ip bgp neighbors 10.20.30.41 routes
BGP table version is 3300, local router ID is 10.255.90.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 192.168.90.0 10.20.30.41 0 0 65500 i

Total number of prefixes 1

TylerLuce6545 · ‎06-06-2019

Hi Georg,

After looking a bit deeper into your statement, I think you're onto something. I have another router in a different environment that has an almost identical setup. Looking through the IPV4 Family tree on that side it does list my internal network. While the one i'm working on does not. Even though it is leaning my network via BGP. How would I go about adding my 192.168.90.0/24 network into that family address tree?