Re: PAT not working for non-connected inside networks

Maxim Denisov · ‎11-27-2021

Hello,

I'm running C8000v 17.6.1a and found that PAT to connected addresses works but inside addresses visible over ospf from L3 switch not working. NAT to outside networks from the same network works fine. Any ideas how to make PAT to non-connected networks work? Here is my config:

ip nat inside source static tcp 100.123.0.1 25 1.1.1.1 25 extendable ! connected
ip nat inside source static udp 10.255.255.2 22 1.1.1.1 2222 extendable ! known via ospf
!
COBALT-RTR#sh ip route 100.123.0.1
Routing entry for 100.123.0.0/25
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Redistributing via bgp 65123
  Advertised by bgp 65123 route-map RD-OUT
  Routing Descriptor Blocks:
  * directly connected, via GigabitEthernet2
      Route metric is 0, traffic share count is 1
COBALT-RTR#sh ip route 10.255.255.2
Routing entry for 10.255.255.0/27
  Known via "ospf 65123", distance 110, metric 2, type inter area
  Redistributing via bgp 65123
  Advertised by bgp 65123 route-map RD-OUT
  Last update from 100.123.0.253 on GigabitEthernet4, 1w0d ago
  Routing Descriptor Blocks:
  * 100.123.0.253, from 100.123.15.11, 1w0d ago, via GigabitEthernet4
      Route metric is 2, traffic share count is 1

Regards,
Maxim

Georg Pauwen · ‎11-27-2021

Hello,

odd. Does dynamic NAT/PAT work with these remote hosts ?

Maxim Denisov · ‎11-27-2021

You mean this?

ip nat inside source list NAT interface BDI1 overload

Yes NAT from inside to outside works.

Georg Pauwen · ‎11-27-2021

Hello,

post your running config, maybe we can spot something...

Maxim Denisov · ‎11-27-2021

Here is NAT related config, 1.1.1.1 is IP on BDI1 assigned by DHCP.

COBALT-RTR#sh run int bdi1
Building configuration...

Current configuration : 183 bytes
!
interface BDI1
 description #-- WAN L3
 mac-address 0050.56a0.d9d7
 ip address dhcp
 ip nbar protocol-discovery
 ip nat outside
 load-interval 30
 no mop enabled
 no mop sysid
end

COBALT-RTR#sh run int g4
Building configuration...

Current configuration : 314 bytes
!
interface GigabitEthernet4
 description #-- COBALT Interconnect
 mtu 9000
 ip address 100.123.0.254 255.255.255.248
 ip nbar protocol-discovery
 ip nat inside
 load-interval 30
 negotiation auto
 cdp enable
 no mop enabled
 no mop sysid
 service-policy output SHAPE-LAN
end

COBALT-RTR#sh run int g2
Building configuration...

Current configuration : 310 bytes
!
interface GigabitEthernet2
 description #-- Internal
 ip address 100.123.0.126 255.255.255.128
 ip nbar protocol-discovery
 ip nat inside
 load-interval 30
 negotiation auto
 cdp enable
 no mop enabled
 no mop sysid
 service-policy output SHAPE-LAN
end
COBALT-RTR#sh run | i ip nat
 ip nat inside
 ip nat inside
 ip nat outside
no ip nat service all-algs
ip nat inside source static tcp 100.123.0.1 25 1.1.1.1 25 extendable
ip nat inside source static tcp 100.123.0.1 53 1.1.1.1 53 extendable
ip nat inside source static udp 100.123.0.1 53 1.1.1.1 53 extendable
ip nat inside source static tcp 100.123.0.5 80 1.1.1.1 80 extendable
ip nat inside source static udp 10.255.255.2 22 1.1.1.1 2222 extendable
ip nat inside source static tcp 10.255.255.25 32400 1.1.1.1 32400 extendable
ip nat inside source static udp 10.255.255.2 51402 1.1.1.1 51402 extendable
ip nat inside source static udp 10.255.255.3 51403 1.1.1.1 51403 extendable
ip nat inside source list NAT interface BDI1 overload
COBALT-RTR#sh access-l NAT
Extended IP access list NAT
    10 deny ip any 10.0.0.0 0.255.255.255
    20 deny ip any 172.16.0.0 0.15.255.255
    30 deny ip any 192.168.0.0 0.0.255.255
    40 deny ip any 100.123.0.0 0.0.15.255
    50 deny ip host 100.123.0.16 any log
    60 permit ip 100.123.0.0 0.0.15.255 any
    70 permit ip 10.255.255.0 0.0.0.255 any
    80 permit ip 172.31.254.0 0.0.0.255 any
COBALT-RTR#

paul driver · ‎11-27-2021

Hello

Is the internal host 10.255.255.2 open for port 2222

from within your internal network are you able to connect to

telnet 10.255.255.2 2222

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maxim Denisov · ‎11-27-2021

Sure it listens for ssh but on 22 port. If I connect to wan ip from outside I don't see attempts in nat debug.

paul driver · ‎11-27-2021

Hello

Okay if you can externally ssh to 1.1.1.1 2222 and you obtain connection to that specific internal host I would say it’s working,

Lastly i don’t see this internal host being denied in the NAT acl which I would expect it to be as it has its own static NAT entry so it doesn’t need to be allowed

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maxim Denisov · ‎11-27-2021

That is the problem - with debug ip nat 1 detailed I don't see any events when trying to telnet on router IP port 2222. IP from which I trying to connect is permitted in acl 1.

Do you mean I need to put deny tcp 10.255.255.2 22 any into acl NAT?

paul driver · ‎11-27-2021

Hello
Do you see anything in the nat translation table?

sh ip nat translations

Also regards the nat acl yes i would deny that host within that acl as you have a static nat statement so i nat doesn’t need to call upon the acl for unless that is you want that host to initiate other dynamic pat connections if so leave it being allowed.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maxim Denisov · ‎11-27-2021

Of course there are translations - users and servers connect to the Internet through this router. I see translation rules for working and not working translations but don't see active not working translations:

COBALT-RTR#sh ip nat translations | i :25
tcp  1.1.1.1:25        100.123.0.1:25        ---                   ---
tcp  1.1.1.1:25        100.123.0.1:25        193.163.125.7:39915   193.163.125.7:39915
udp  1.1.1.1:51402     10.255.255.2:51402    93.81.216.198:25717   93.81.216.198:25717
COBALT-RTR#sh ip nat translations | i :22
udp  1.1.1.1:2222      10.255.255.2:22       ---                   ---

I put deny rule 5 deny tcp host 10.255.255.2 eq 22 any but there are no changes.

paul driver · ‎11-27-2021

Hello

@Maxim Denisov wrote:

but don't see active not working translations:

You will not see any "active not working translations" if nothing is initiated for them as they are dynamically created, The only "active not working translations " you will see are static ones.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maxim Denisov · ‎11-27-2021

I know, I have started telnet to 2222 port a second before issuing sh ip nat translations.