Re: Static NAT

wasiimcisco · ‎03-29-2011

I am facing problem with Natting with Cisco Router.

I am running BGP with one of my customer that has a server (195.1.x.1). I am getting BGP routes. But I dont want to route 195.x.x.x subnet in my network.

MY LAN is 192.168.0.0/16

Remote LAN Server: 195.1.x.1

I want to NAT 195.1.x.1 into 172.16.15.8 so that i can avoid public IP address Routing in my network and users can access the web server located on IP address (195.1.x.1).

I have tried with the static NAT but it is not working for me. I cant do the telnet on port 80 from the client machine 192.168.80.89 on the Natted IP address 172.16.15.8.

I have also attached the configuration for your info.

!
!
interface FastEthernet0
description ***CONNECTED TO WAN******
ip address 10.15.1.101 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan200
description **CONNECTED TO LAN****
ip address 172.16.15.7 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
router bgp 1100
no synchronization
bgp log-neighbor-changes
network 172.16.15.8 mask 255.255.255.255
neighbor 10.15.1.102 remote-as 11517
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.15.1

!
ip nat outside source static 195.1.100.53 172.16.15.8
!
!
ip access-list extended ACL_AD
permit ip any host 172.16.15.8
!
end

AD_R01#show ip bgp summary
BGP router identifier 172.16.15.7, local AS number 1100
BGP table version is 24, main routing table version 24
22 network entries using 2640 bytes of memory
22 path entries using 1144 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4352 total bytes of memory
BGP activity 45/23 prefixes, 45/23 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.15.1.102 4 11517

1860 1858 24 0 0 15:18:20 22

AD_R01#show ip route bgp
B    192.168.242.0/24 [20/0] via 10.15.1.102, 15:17:52
B    192.168.240.0/24 [20/0] via 10.15.1.102, 15:17:52
B    192.168.229.0/24 [20/0] via 10.15.1.102, 15:17:52
     10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks
B       10.15.1.12/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.8/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.20/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.16/30 [20/0] via 10.15.1.102, 15:17:52
B       10.1.29.0/24 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.28/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.24/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.32/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.48/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.60/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.56/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.64/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.84/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.88/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.108/30 [20/0] via 10.15.1.102, 15:17:52
B       10.15.1.112/30 [20/0] via 10.15.1.102, 15:17:52
B       10.200.30.0/24 [20/0] via 10.15.1.102, 15:17:52
     195.1.100.0/24 is variably subnetted, 2 subnets, 2 masks
B       195.1.100.0/24 [20/0] via 10.15.1.102, 15:17:52

AD_R01#show run | in static

ip nat outside source static 195.1.100.53 172.16.15.8

AD_R01#show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- --- --- 172.16.15.8 195.1.100.53

Please let me know what I am missing. Y i cant reach the the destination

Jon Marshall · ‎03-29-2011

Okay, only way i could get this to work was to use an address that was not part of the subnet that is used on the router interface. When i used the an address from the router interface subnet the router simply responded on behalf of the remote address but the packet didn't get sent any further than the router.

You say your LAN is 192.168.0/0/16. So does the LAN device that does the routing have a default-route pointing to your BGP router ? If so then choose an address from a subnet that is not used in your LAN eg. 172.16.6.1 (which is still private).

Then modify your config -

ip nat outside source static 195.1.100.53 172.16.6.1

because of the order of NAT you also need a route for 172.16.6.1 ie. -

ip route 172.16.6.1 255.255.255.255 10.15.1.102

that should do it. If your LAN router/L3 switch does not have a default-route pointing to your BGP router then you would need to advertise the 172.16.6.1 address into your LAN from the BGP router.

Jon

wasiimcisco · ‎03-29-2011

thanks for the reply

LAN (192.168.0.0/16) ===>Firewall (172.16.15.1) ========>(172.16.15.7)WAN Router with BGP ==========>Remote Site with BGP (195.x.x)

|

Internet

LAN has default Router towards the Firewall.

WAN router has default router back towards the Firewall.

I

I am getting BGP Route from the Branch Router

*> 172.16.15.0/24 0.0.0.0 0 32768 i
*> 195.1.100.0 10.15.1.102 0 62217 62217 i

BGP Router nat configuration

ip nat outside source static 195.1.100.53 172.16.6.7

ip route 0.0.0.0 0.0.0.0 172.16.15.1

-----------------------------------------------------------------------------------------------

Firewall has static route for BGP Router

route partners 172.16.6.7 255.255.255.255 172.16.15.7

---------------------------------------------------------------------------------------------------

After changing the NAT Configuration now even i cant ping the NATTED IP address of 195.x.x.x(172.16.6.7). Earlier when I was using 195.1.100.53 172.16.6.7 I was able to ping but now cant.

Please let me know how to solve this problem.

wasiimcisco · ‎03-29-2011

One more question why i need this static route in the configuration.

ip route 172.16.6.7 255.255.255.255 10.15.1.102

I am doing static nat

ip nat outside source static 195.1.100.53 172.16.6.7 and I am learning destination 195.1.100.53 from the BGP.

Then why i need static route because 172.16.6.7 doesnt existing anywhere and route when translate the request for 172.16.6.7 into 195.1.100.52 and forward it to the BGP peer 10.15.1.102.

Please can you clear my confusion for this.

Mar 29 22:16:19.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [61651]
*Mar 29 22:16:25.665: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [61879]
*Mar 29 22:16:32.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [62098]
*Mar 29 22:16:38.665: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [62317]
*Mar 29 22:16:45.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [62539]
*Mar 29 22:16:51.669: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [62822]
*Mar 29 22:16:58.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [63103]
*Mar 29 22:17:04.665: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [63324]
*Mar 29 22:17:11.173: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [63553]
*Mar 29 22:17:17.681: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [63737]
*Mar 29 22:17:24.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [63944]
*Mar 29 22:17:30.665: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [64155]
*Mar 29 22:17:37.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [64348]
*Mar 29 22:17:43.665: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [64608]
*Mar 29 22:17:50.165: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [64850]
*Mar 29 22:17:56.661: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [65039]
*Mar 29 22:18:03.161: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [65264]
*Mar 29 22:18:09.661: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [65482]
*Mar 29 22:18:16.177: NAT: s=172.16.15.254, d=172.16.6.7->195.1.100.53 [308]

Jon Marshall · ‎03-29-2011

One more question why i need this static route in the configuration.

ip route 172.16.6.7 255.255.255.255 10.15.1.102

Because with NAT inside to outside routing happens before NAT whereas outside to inside NAT takes place before routing.

So if routing takes place before NAT you need that route to send the packet to the outside interface which has the corresponding "ip nat outside" under the interface configuration.

Without that route it will not work.

Are you saying that it is still not working even with that route ? If so can you make sure that a packet sent from your LAN to 172.16.6.7 is -

a) allowed through the firewall

b) gets to the BGP router

By the way, you said with the old config you could at least ping. You could ping, as i found out in my lab but it was your BGP router responding on behalf of your 172.16.15.8 address and not the actual server on the other side of the WAN.

Jon

wasiimcisco · ‎03-30-2011

Hi,

Thanks for the reply and explaination.

we can also do this in that way

ip nat outside source static 195.1.100.53 172.16.6.7 add-route

instead of adding static route (ip route 172.16.6.7 255.255.255.255 10.15.1.102).

Now when I am using add-route command My routing table looks like

S 172.16.6.7/32 [1/0] via 195.1.100.53

before it was like that

ip route 172.16.6.7 255.255.255.255 10.15.1.102

=====================================================================================================

Secondly I dont need to advertise 172.16.6.7 in the BGP and there is also no need to redistribute static in BGP because I have default route for my network and all remote network i m getting through the BGP.

router bgp 1600
no synchronization
bgp log-neighbor-changes
network 172.16.6.7 mask 255.255.255.255
network 172.16.15.0 mask 255.255.255.0
redistribute static
neighbor 10.15.1.102 remote-as 64517
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.15.1
ip route 172.16.6.7 255.255.255.255 10.15.1.102

R01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.15.1 to network 0.0.0.0

B    192.168.242.0/24 [20/0] via 10.15.1.102, 00:26:56
B    192.168.240.0/24 [20/0] via 10.15.1.102, 00:26:56
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.15.0/24 is directly connected, Vlan200
S       172.16.6.7/32 [1/0] via 10.15.1.102
B    192.168.229.0/24 [20/0] via 10.15.1.102, 00:26:56
     10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks
B       10.15.1.12/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.8/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.20/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.16/30 [20/0] via 10.15.1.102, 00:26:56
B       10.1.29.0/24 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.28/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.24/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.32/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.48/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.60/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.56/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.64/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.84/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.88/30 [20/0] via 10.15.1.102, 00:26:56
C       10.15.1.100/30 is directly connected, FastEthernet0
B       10.15.1.108/30 [20/0] via 10.15.1.102, 00:26:56
B       10.15.1.112/30 [20/0] via 10.15.1.102, 00:26:56
B       10.200.30.0/24 [20/0] via 10.15.1.102, 00:26:56
B    195.1.100.0/24 [20/0] via 10.15.1.102, 00:26:56
S*   0.0.0.0/0 [1/0] via 172.16.15.1

D_P_R01#show ip route bgp
B    192.168.242.0/24 [20/0] via 10.15.1.102, 00:27:00
B    192.168.240.0/24 [20/0] via 10.15.1.102, 00:27:00
B    192.168.229.0/24 [20/0] via 10.15.1.102, 00:27:00
     10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks
B       10.15.1.12/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.8/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.20/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.16/30 [20/0] via 10.15.1.102, 00:27:00
B       10.1.29.0/24 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.28/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.24/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.32/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.48/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.60/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.56/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.64/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.84/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.88/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.108/30 [20/0] via 10.15.1.102, 00:27:00
B       10.15.1.112/30 [20/0] via 10.15.1.102, 00:27:00
B       10.200.30.0/24 [20/0] via 10.15.1.102, 00:27:00
B    195.1.100.0/24 [20/0] via 10.15.1.102, 00:27:00

Waiting for your expert opinion.

Jon Marshall · ‎03-30-2011

Yes you can use the "add-route" option, sorry wasn't thinking.

Agree that you don't need to advertise 172.16.6.7 via BGP because it is only internal to you. As long as packets for 172.16.6.7 from anywhere in your network arrive at the inside interface (ip nat inside) of your BGP router then it should work fine.

Jon

wasiimcisco · ‎03-30-2011

Thanks for the reply,

Will add-route will serve the same purpuse because if I am adding add-route the next hop is coming different

S 172.16.6.7/32 [1/0] via 195.1.100.53

before with static route it was like that

ip route 172.16.6.7 255.255.255.255 10.15.1.102.

why this is this time I m getting different next hop. and I have also remove advertisting 172.16.6.7 in the BGP.

Waiting for your reply.

Jon Marshall · ‎03-30-2011

wasiimcisco wrote:
Thanks for the reply,
Will add-route will serve the same purpuse because if I am adding add-route the next hop is coming different
S       172.16.6.7/32 [1/0] via 195.1.100.53
before with static route it was like that
ip route 172.16.6.7 255.255.255.255 10.15.1.102.
why this is this time I m getting different next hop. and I have also remove advertisting 172.16.6.7 in the BGP.
Waiting for your reply.

It adds a different route but it serves the same purpose - i tested it in my lab and it works fine. It simply solves the problem of routing before NAT in a different way.

You absolutely do not need to advertise this address in BGP. You only need to make sure it is reachable to the rest of your LAN.

Jon