Solved: Sub interface NAT problem

rasoftware · ‎05-01-2013

I have the following on an 1841.

PPPoE on Fast0/0 works fine and picks up ISP address.

I have assigned on the /29 address to fast0/1.2 and and created a LAN on fast0/1.1 using the native VLAN.

I can ping the /29 address from the internet and also ping the internal address from the LAN.

I added a NAT statement (inside and outside to each sub interface).

I cannot connect from the 192.168.199.0/24 network out via NAT. Is this possible with subinterfaces?

vpdn enable

!

interface FastEthernet0/0

description PPPOE WAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.199.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 81.143.105.77 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface Dialer1

ip address negotiated

no ip unreachables

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname ******

ppp chap password 0 *****

!

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip nat inside source list 10 interface FastEthernet0/1.2 overload

!

access-list 10 permit 192.168.199.0 0.0.0.255

dialer-list 1 protocol ip permit

!

Bilal Nawaz · ‎05-02-2013

I have the following:

I think this is what you want to do? Anything from inside - Client_Inside will be translated to 2.2.2.1 when I try to ping R2 which has a loopback of 1.1.1.1.

So all packets that are generated from the inside will be translated with a source address of 2.2.2.1. I have added a route of 2.2.2.1 back to R1 where the loopback exists.

here are the configs:

CLIENT_INSDIE#show run

Building configuration...

Current configuration : 827 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CLIENT_INSDIE

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

CLIENT_INSDIE#

CLIENT_INSDIE#show ip int brie

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 20.0.0.101 YES DHCP up up

FastEthernet0/1 unassigned YES unset administratively down down

=======================================================================

R1#show run

Building configuration...

*Mar 1 00:41:27.515: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1323 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 20.0.0.0 20.0.0.100

!

ip dhcp pool 1

network 20.0.0.0 255.255.255.0

default-router 20.0.0.1

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface Loopback0

ip address 2.2.2.1 255.255.255.255

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.2

!

no ip http server

no ip http secure-server

ip nat pool test 2.2.2.1 2.2.2.1 netmask 255.255.255.252

ip nat inside source list 100 pool test overload

!

access-list 100 permit ip 20.0.0.0 0.0.0.255 any

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets

C 2.2.2.1 is directly connected, Loopback0

20.0.0.0/24 is subnetted, 1 subnets

C 20.0.0.0 is directly connected, FastEthernet0/1

10.0.0.0/30 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 10.0.0.2

=======================================================================

R2#show run

Building configuration...

Current configuration : 934 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 2.2.2.1 255.255.255.255 10.0.0.1

!

no ip http server

no ip http secure-server

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

Now I will ping 1.1.1.1 from client router:

CLIENT_INSDIE#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/64 ms

=======================================================

R1#

*Mar 1 00:45:51.783: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [75]

*Mar 1 00:45:51.811: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [75]

*Mar 1 00:45:51.847: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [76]

*Mar 1 00:45:51.867: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [76]

*Mar 1 00:45:51.887: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [77]

*Mar 1 00:45:51.911: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [77]

*Mar 1 00:45:51.931: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [78]

*Mar 1 00:45:51.947: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [78]

*Mar 1 00:45:51.975: NAT*: s=20.0.0.101->2.2.2.1, d=1.1.1.1 [79]

*Mar 1 00:45:51.995: NAT*: s=1.1.1.1, d=2.2.2.1->20.0.0.101 [79]

R1#

*Mar 1 00:46:19.939: NAT: expiring 2.2.2.1 (20.0.0.101) icmp 14 (14)

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 2.2.2.1:13 20.0.0.101:13 1.1.1.1:13 1.1.1.1:13

=======================================================

R2#

*Mar 1 00:45:24.731: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar 1 00:45:24.735: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar 1 00:45:24.735: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar 1 00:45:24.735: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:45:24.799: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar 1 00:45:24.799: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar 1 00:45:24.799: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar 1 00:45:24.799: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:45:24.855: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar 1 00:45:24.855: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar 1 00:45:24.855: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar 1 00:45:24.855: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:45:24.895: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar 1 00:45:24.895: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar 1 00:45:24.895: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar 1 00:45:24.895: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:45:24.939: IP: tableid=0, s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1 (Loopback1), routed via RIB

*Mar 1 00:45:24.939: IP: s=2.2.2.1 (FastEthernet0/0), d=1.1.1.1, len 100, rcvd 4

*Mar 1 00:45:24.939: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), routed via FIB

*Mar 1 00:45:24.939: IP: s=1.1.1.1 (local), d=2.2.2.1 (FastEthernet0/0), len 100, sending

So we are NATing the source to 2.2.2.1 which is not on the physical interface. You can also do this for sub interface.

Is this what you was trying to do?

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎05-01-2013

Hello, It is possible.

I noticed that you have a default route here:

rasoftware wrote:

ip route 0.0.0.0 0.0.0.0 Dialer1 2

It may not be working because all the traffic being generated is heading towards Dialer1 interface i think?

What happens when you replace this with ip route 0.0.0.0 0.0.0.0 FastEthernet0/1.2?

or the ip route 0.0.0.0 0.0.0.0 x.x.x.x (your gateway on this network for your router - which is better)

hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

rasoftware · ‎05-01-2013

i'v set as PPP assigned default route now but I still can't get out via NAT.

Show nat translations is empty.

Gateway of last resort is 81.139.64.1 to network 0.0.0.0

81.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 81.139.64.1/32 is directly connected, Dialer1

C 81.139.64.34/32 is directly connected, Dialer1

C 81.143.105.72/29 is directly connected, FastEthernet0/1.2

C 192.168.199.0/24 is directly connected, FastEthernet0/1.1

S* 0.0.0.0/0 [1/0] via 81.139.64.1

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0/0 unassigned YES NVRAM up up

FastEthernet0/1 unassigned YES NVRAM up up

FastEthernet0/1.1 192.168.199.1 YES NVRAM up up

FastEthernet0/1.2 81.143.105.77 YES NVRAM up up

ATM0/0/0 unassigned YES NVRAM administratively down down

NVI0 unassigned NO unset up up

Virtual-Access1 unassigned YES unset up up

Virtual-Access2 unassigned YES unset up up

Virtual-Access3 unassigned YES unset up up

Dialer1 81.139.64.34 YES IPCP up up

Bilal Nawaz · ‎05-01-2013

Do you want to route traffic out of dialer 1 interface? Or do you want to route out of the sub interface?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

rasoftware · ‎05-01-2013

fast0/0 with PPP on dialer 1 is a dynamic IP assigned. I have a subnet of /29 which I want to assign to the sub interface. i want my traffic to appear to come from, this interface.

I've tried this now with NVI but no better. What is going on here?

I see

A-ADSL#show ip nat nvi tran

Pro Source global Source local Destin local Destin global

udp 81.143.105.77:137 192.168.199.3:137 192.168.199.255:137 192.168.199.255:13

7

Bilal Nawaz · ‎05-01-2013

So you want to route out of dialer 1 but make it seem like it came from FastEthernet0/1.2?

Hmm I'm not too sure... Won't we need a NAT address within the same range? How would the return traffic come back?

If you want to NAT out of dialer 1
Add the 'ip NAT outside' command on this interface. It won't NAT so that it seems like its come from fa0/1.2 though.

Do you want an asymmetric routing effect so the return traffic comes through another way?

I.e. goes out of dialer 1 and comes back to fa0/1.2?

If this is the case, NAT statement might be different, but I'll have to test it myself first.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

rasoftware · ‎05-01-2013

Yes I can nat out of fe00. But why can I reach the public sub interface /29 from internet and even telnet on? Isp routes this via dynamic.

Sent from Cisco Technical Support iPhone App

Bilal Nawaz · ‎05-01-2013

If you or the service provider are advertising out this prefix then it explains how you are able to ping and telnet etc..

The advertisement says, if you want to get to x.x.x.x the go to y.y.y.y being the next hop towards your sub interface.

How are you testing this? Have we achieved what we wanted to achieve?

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

rasoftware · ‎05-02-2013

No. What I would normally do is put a second router in. One dynamic ip on the outside and the gateway of the /29 on the inside then assign one of the /29 to this.

What I want to achieve is the same thing using a single router. I want the wan interface nearly to provide the routing to the isp and connection.

I am wondering if I use a loop back rather than a sub interface this would work? I would assign the /29 gateway to this...

I can reach any address in the /29 I assign to the sub interface so these addresses are definitely routable, what I can't do is nat out as one of them.

I need a static ip for VPN so I can't use the pppoe assigned ip.

Sent from Cisco Technical Support iPad App

Bilal Nawaz · ‎05-02-2013