Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

enabling NAT on WAN interface - interfere with OSPF - help please

shlomim
Level 1
Level 1

‎08-05-2025 06:35 AM

Hi,

I'm running SD-WAN LAB 20.9.3.1.

I have 2 Viptela vEdge routers that are connected via OSPF on WAN interfaces.

when I enable NAT on the WAN interface , despite there is no NAT configuration other than the nat on the interface - the vEdge router interfere with the OSPF packets.

I've tried to allow specifically OSPF on the tunnel interface - but it did not help:

when I disable NAT - the OSPF goes back again and after a while dies again.

here is the show run:

vEdge2# show run
system
host-name vEdge2
system-ip 172.17.1.222
site-id 1
admin-tech-on-failure
no route-consistency-check
no vrrp-advt-with-phymac
sp-organization-name or2.sys.cisco
organization-name or2.sys.cisco
console-baud-rate 9600
vbond 150.1.1.103
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password $6$5adfbd0f5fea9400$roQOvt.AyTiHpG.OvQEe1gISHLudwc/qVD92iX4KMoZthgVx64EmRUzos4w5ST6fMvWVBxsHGGwtBfnGgc/W21
!
ciscotacro-user true
ciscotacrw-user true
!
logging
disk
enable
!
!
ntp
parent
no enable
stratum 5
exit
!
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
router
ospf
router-id 172.17.1.222
auto-cost reference-bandwidth 10000
timers spf 200 1000 10000
area 0
interface ge0/0
network point-to-point
exit
interface ge0/1
network point-to-point
exit
exit
!
!
interface ge0/0
ip address 150.11.2.0/31
nat
!
tunnel-interface
encapsulation ipsec
color custom1
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 150.22.2.0/31
nat
!
tunnel-interface
encapsulation ipsec
color custom2
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/2
no shutdown
!
!
vpn 1
router
ospf
router-id 172.17.1.222
timers spf 200 1000 10000
redistribute omp
area 67372036
interface ge0/2.10
exit
exit
!
bgp 12345
best-path
as-path multipath-relax
!
address-family ipv4-unicast
maximum-paths paths 4
!
neighbor 10.9.9.9
no shutdown
remote-as 999
!
!
!
interface ge0/2.10
ip address 10.10.10.2/24
mtu 1496
no shutdown
!
interface ge0/2.999
ip address 10.9.9.2/24
mtu 1496
no shutdown
!
omp
advertise bgp
advertise ospf external
advertise connected
!
!
vpn 512
name "Management VPN"
interface eth0
shutdown
!
!

 

here is the show ospf neighbors

vEdge2# show ospf neighbor
DBsmL -> Database Summary List
RqstL -> Link State Request List
RXmtl -> Link State Retransmission List
SOURCE DEAD
VPN IP ADDRESS INTERFACE ROUTER ID STATE PRIORITY TIMER DBsmL RqstL RXmtL
-------------------------------------------------------------------------------------------------------
0 150.11.2.1 ge0/0 150.255.1.1 exstart 1 34 0 0 0
0 150.22.2.1 ge0/1 150.255.1.2 exstart 1 34 0 0 0

 

when I disable nat on the interfaces - OSPF works perfectly.

for testing - I've allowed OSPF service on 1 interface and on the other not - to verify if it works.

it does not.

 

any suggestions ?

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎08-05-2025 12:46 PM

why do you need NAT ?

check NAT config :

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220311-configure-service-side-static-nat-on-a-c.html

enable debug and check.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

shlomim
Level 1
Level 1
In response to balaji.bandi

‎08-06-2025 02:28 AM

thank you for your help !

the issue I'm facing is with vEdge Cloud 20.9.3 - the configuration guide you've referred me to is IOS XE so I'm not sure if I'm on the right track.

anyways - I need NAT for DIA, since I do the DIA with Data Policy - there isn't any NAT configuration, only NAT on the interface.

any suggestions for debug I should do ? when I check show policy service-path on the source IP of the neighbor with destination IP of 224.0.0.5 - it shows me that it is being blackholed.

 

0 Helpful
Customers Also Viewed These Support Documents