Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1789
Views
5
Helpful
3
Replies

Route NAT and non-NAT over same interface

Go to solution
AdeyC
Level 1
Level 1

‎12-01-2020 02:53 AM

Hi there,

Hope someone can point me in the right direction on this one.

We are moving some AD servers to Azure and the on-prem servers need to access these without being NAT’d at our current NAT boundary router.  Our access to Azure/Internet etc. is via a private network and is supplied by a third party telco.  They have given us a large (/22) IP range (10.10.0.0/22 for arguments sake) of which we use very little.  10.10.0.1/22 is the telco router and our ‘outside’ interface/NAT boundary is on 10.10.0.2/22 and most outbound traffic is overloaded to this address.  There are some static 1:1 NATs in the first 254 addresses which we need to keep for now.

I now need to create a new subinterface on the ‘inside’ for some AD servers that can’t be NAT’d to prevent latency to the Azure servers.  My plan was to use 10.10.3.0/26 for this subnet and change the subnet mask of the outside interface to a /24 to encompass all the current 1:1 NATs. 

Extract of the relevant parts of the config:

!

interface GigabitEthernet0/0

 no ip address

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/0.1

 description Client1

 encapsulation dot1Q 1 native

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/0.2

 description Voice

 encapsulation dot1Q 2

 ip address 192.168.2.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 

!

!

interface GigabitEthernet0/0.8   <----add new subinterface for servers that shouldn't be NAT'd----

 description non-NATd SERVERS

 encapsulation dot1Q 8

 ip address 10.10.3.0 255.255.255.192

!

interface GigabitEthernet0/1

 description 100Mbps OUTSIDE

 ip address 10.10.0.2 255.255.252.0 <----Change this to 10.10.0.2 255.255.255.0-----

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/0/0

 description 100Mb to DATACENTRE

 ip address 192.168.250.5 255.255.255.252

 ip nat inside

 ip virtual-reassembly in

 duplex full

 speed 100

 service-policy output qos-policy

!

 

ip nat inside source list 99 interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.222.5 10.10.0.5

.

.

ip nat inside source static 192.168.1.80 10.10.0.80

ip route 0.0.0.0 0.0.0.0 10.10.0.1

 

access-list 99 permit 192.168.0.0 0.0.255.255

 

However, I’ve since found the nugget of information below and guess this isn’t going to help my case with trying to reduce latency.  Therefore, can anyone tell me what my other options are?  I know it mentions PBR below but how would that be used in this scenario?

"When you configure Network Address Translation (NAT) on an interface, that interface becomes optimized for NAT packet flow. Any nontranslated packet that flows through the NAT interface goes through a series of checks to determine whether the packet must be translated or not. These checks result in increased latency for nontranslated packet flows and thus negatively impact the packet processing latency of all packet flows through the NAT interface. We highly recommend that a NAT interface must be used only for NAT-only traffic. Any non-NAT packets must be separated and these packets must go through an interface that does not have NAT configured on it. You can use Policy-Based Routing (PBR) for separating non-NAT traffic."

And one more thing – I do have a spare 2GE NIM for the router if using a physically different interface somewhere will help.

Many thanks in advance,

AC

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pigallo
Cisco Employee
Cisco Employee

‎12-01-2020 06:13 AM

 

 

Hello,

 

to avoid NAT completely and thus reducing latency as much as possible you could do the following:

 

Create another subif on the OUTSIDE Gig0/1 port. (Like Gi0/1.x)

You won't configure NAT on this subif along with GigabitEthernet0/0.8 (inside port that you already created).
Once configuration is terminated, you should change routing on your 'unNatted' servers which will now point to the new inside interface Gi0/0.8 ip address as GW.
And returning routing from the TELCO going to those 'unNatted' addresses should point to the new address assigned to outside port Gi0/1.x which was previously created.

If such new interfaces (Gi0/1.x + gi0/0.8) belong to a common vrf, you won't need PBR as traffic will be forced to ingress/egress only via VRF interfaces. Of course you'll need another static default within vrf to ensure proper routing to the TELCO GW and proper returning routes as said earlier.

 

 

p.s. you could use also the 2G NIM to achieve this setup and have also physical separation. However, this depends on architecture requirements. (Bandwidth guaranteed, throughput, etc.)

 

 

 

Best regards,

 

 

 

 

 

 

View solution in original post

Go to solution
AdeyC
Level 1
Level 1
In response to pigallo

‎12-08-2020 01:15 AM

Thanks pigallo,

I'm going along these lines.  I've contacted the telco who are going to create a separate interface on their router and will route all traffic to the non-NAT server range to this.  I'm going to add the spare NIM and connect to this new interface (without NAT) and put a static route in for the Azure range to exit via this new connection.

Many thanks

Adey

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Georg Pauwen
VIP
VIP

‎12-01-2020 05:40 AM

Hello,

 

'latency' in this case is relative. Depending on what applications you are using, you might not even notice the difference between translated and non-translated traffic. And then of course there is always QoS, which lets you prioritize non-translated traffic, if that is required.

0 Helpful

Go to solution
pigallo
Cisco Employee
Cisco Employee

‎12-01-2020 06:13 AM

 

 

Hello,

 

to avoid NAT completely and thus reducing latency as much as possible you could do the following:

 

Create another subif on the OUTSIDE Gig0/1 port. (Like Gi0/1.x)

You won't configure NAT on this subif along with GigabitEthernet0/0.8 (inside port that you already created).
Once configuration is terminated, you should change routing on your 'unNatted' servers which will now point to the new inside interface Gi0/0.8 ip address as GW.
And returning routing from the TELCO going to those 'unNatted' addresses should point to the new address assigned to outside port Gi0/1.x which was previously created.

If such new interfaces (Gi0/1.x + gi0/0.8) belong to a common vrf, you won't need PBR as traffic will be forced to ingress/egress only via VRF interfaces. Of course you'll need another static default within vrf to ensure proper routing to the TELCO GW and proper returning routes as said earlier.

 

 

p.s. you could use also the 2G NIM to achieve this setup and have also physical separation. However, this depends on architecture requirements. (Bandwidth guaranteed, throughput, etc.)

 

 

 

Best regards,

 

 

 

 

 

 

Go to solution
AdeyC
Level 1
Level 1
In response to pigallo

‎12-08-2020 01:15 AM

Thanks pigallo,

I'm going along these lines.  I've contacted the telco who are going to create a separate interface on their router and will route all traffic to the non-NAT server range to this.  I'm going to add the spare NIM and connect to this new interface (without NAT) and put a static route in for the Azure range to exit via this new connection.

Many thanks

Adey

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card