what is the inside interface for branch using MPLS?

Herman2018 · ‎12-01-2023

Hi, we have own private MPLS network, all branches are connected to HQ via mpls. Now one branch has local external line which is connected to client. Now client needs to access the web server which is located in HQ via line. We don't have firewall, will use core switch to do port forwarding to archive this goal. For port forwarding solution on cisco device, need to specify the nat inside interface. as we are using mpls, don't know which interface should be inside interface for natting? Can anyone pls advise? thanks in advance!

client router--->interface g0/1 of our branch core switch (layer3, MPLS PE router), interface g0/0 --> mpls link (lease line to HQ and other branches).

Core switch interface G0/1 is under vrf "Red", we import the routes for vrf "Red" from HQ via MPLS.

some vlans are configured on core switch, they are under vrf "Red".

MHM Cisco World · ‎12-01-2023

Many to one

If branch have many interface that connect to host and one interface connect to mpls

Then config all interface except mpls interface as inside and config mpls as outside.

You need also to include all host subnet in acl of NAT overload.

MHM

Herman2018 · ‎12-01-2023

Thanks @MHM Cisco World for your advice. mpls is our internal side, the external side is the interface g0/1 which is connected to our local client, but the server is located in HQ, which is connnected via our private mpls. our branch client will access this server via a private line, to

MHM Cisco World · ‎12-01-2023

Can you draw topolgy

Thanks

MHM

Herman2018 · ‎12-01-2023

MHM Cisco World · ‎12-01-2023

HQ know the prefix of link connect branch to mpls core it dont know the prefix connect branch to client.

So as I mention you need to make cleint to branch as IN

Branch to mpls core as OUT

MHM

Herman2018 · ‎12-01-2023

HQ knows the client IP, branch advertise client prefix to HQ.. The nat will be like this.

client access one IP 1.1.1.1 (example) with the source iP 192.168.0.1, then branch core switch does destination nat ,forward the traffic to the web server 2.2.2.2 with original source 192.168.0.1

MHM Cisco World · ‎12-01-2023

If that case and you want to NAT server IP.

You need to NAT usinf ip nat outside and keep as I mention above mpls OUT and client to branch as IN.

MHM

Herman2018 · ‎12-01-2023

sorry, don't understand your solution. Below is an example about inbound access internal server from external. But I don't know how to config if internal is mpls layer 3 vpn network.

How to Configure Port Forwarding on Cisco Router (With Examples) (networkstraining.com)

another question is " can put the command "ip nat outside" under the mpls interface? layer 3 mpls vpn, can nat ip address as normal interface?

MHM Cisco World · ‎12-01-2023

Friend

You have client have ip 192.168.0.x need to access server 1.1.1.1 but we need to nat server ip to 2.2.2.2

The traffic source will be 192.168.0.x and destiantion is 1.1.1.1

Ip nat inside source NATing source

Ip nat outside source NATing destiantion

Here you ip nat inside is interface connect your branch to client

And ip nat outside is interface connect your branch to mpls.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html

Can mpls interface config with NAT?

Sure Yes

MHM

Herman2018 · ‎12-01-2023

Thanks @MHM Cisco World . however, i am tring to config destination nat, not source nat. I already figured out a solution. thanks again for your advice.

MHM Cisco World · ‎12-02-2023

You are so welcome

Have a nice weekend

MHM

paul driver · ‎12-02-2023

Hello

@Herman2018 wrote:
We don't have firewall, will use core switch to do port forwarding to archive this goal

Does your core switch even support NAT, Also is it DNAT you really require here?

Based on your OP and if the switch does indeed support nat then interface g0/1 will be your nat outside domain, and your nat inside domain interface should be g0/0.

ip nat outside static <outside global ip > <outside local ip>

Example destination static nat

Outside global=100.100.100.1 (public scr ip)
Outside-local-ip =11.1.11.101 (natted ip)
Inside local ip 10.1.12.101 ( local server)

ip nat outside static 100.100.100.1 11.1.11.101

interface g0/1
ip nat outside

interface g0/0
ip nat inside

ping -S 100.100.100.1 10.1.12.101

*Mar 1 00:16:43.099: NAT: s=100.100.100.1->11.1.11.101, d=10.1.12.101
*Mar 1 00:16:43.103: NAT: s=10.1.12.101, d=11.1.11.101->100.100.100.1

In the above, The client traffic ingress into your own network with a source ip of 100.100.100.1 will be translated by the NAT rtr/switch to an 11.1.11.101, Which means this ip will be accessible locally within your own network.

Any inside host replying to the 11.1.11.101 will be translated to the 100.100.100.1

Is this what your are looking for, or is it as @MHM Cisco World suggested a basic 1-to-1 static nat you require.

ip nat inside source 10.1.12.101 11.1.11.101

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul