Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
1
Helpful
3
Replies

Multiple NAT DIA bug or somethink else

dijix1990
VIP Alumni
VIP Alumni

‎09-20-2025 12:53 AM

I found that Multiple NAT DIA stop working after reloading

My config is very simple

  • Vpn 10 - 172.25.10.0/24 via nat dia overload (isp1 and isp2 round robin)
  • Vpn 16 - 172.25.16.0/24 via nat dia pool overload (isp1 and isp2 round robin)

Service side

 

interface GigabitEthernet0/0/0.10
  encapsulation dot1Q 10
  ip address 172.25.10.1 255.255.255.0
  vrf forwarding 10
  no ip redirects
  no ip proxy-arp
end

interface GigabitEthernet0/0/0.16
  encapsulation dot1Q 16
  ip address 172.25.16.1 255.255.255.0
  vrf forwarding 16
  no ip redirects
  no ip proxy-arp
end

Transport side

 

 

interface GigabitEthernet0/0/1.100
  encapsulation dot1Q 100
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  ip nat outside
end

interface GigabitEthernet0/0/1.200
  encapsulation dot1Q 200
  ip address 20.20.20.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  ip nat outside
end
ip route 0.0.0.0 0.0.0.0 10.10.10.254
ip route 0.0.0.0 0.0.0.0 20.20.20.254

For VPN 10 I configured as default method interface NAT overload - Simple configuration works perfectly. VPN 10 go to internet via 10.10.10.254 or 20.20.20.254

 

ip nat route vrf 10 0.0.0.0 0.0.0.0 global

For VPN 16 I configured Nat pool with central policy and it works correctly, users go to internet via 10.10.10.10 or 20.20.20.20 but after reloading my devices (isr1111X-8P or c8200) users from VPN 16 can't go to internet. If I will delete nat pool and configure it again it started to work again.

 

 

ip nat pool natpool1 10.10.10.10 10.10.10.10 prefix-length 24 
ip nat pool natpool1 20.20.20.20 20.20.20.20 prefix-length 24 
ip nat inside source list dia-list pool natpool1 overload match-interface GigabitEthernet0/0/1.100
ip nat inside source list dia-list pool natpool1 overload match-interface GigabitEthernet0/0/1.200

vpn-list VPN16
sequence 1
match
source-data-prefix-list wifi_prefixes
action accept
count wifi_nat_724726910
nat use-vpn 0
no nat fallback
nat source-dia-pool 1 2
no nat bypass

 

 

 

 

 

0 Helpful
3 Replies 3

Torbjørn
VIP
VIP

‎09-20-2025 10:15 AM

This should "just work" reliably. I would create a TAC case for this.

I can't seem to find any existing bugs for this issue in the BST. Which IOS-XE version are you running?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

dijix1990
VIP Alumni
VIP Alumni
In response to Torbjørn

‎09-20-2025 05:36 PM

17.15.3a/17.5.4. I thought that maybe my config wrong

0 Helpful

Torbjørn
VIP
VIP
In response to dijix1990

‎09-22-2025 01:20 AM - edited ‎09-22-2025 01:20 AM

I can't see any matching bugs listed for those releases. Thank you for sharing!

Please do report back with what TAC figures out/which solution you end up using.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents