03-27-2023 04:53 AM - edited 03-27-2023 04:54 AM
I did this config for nat overload in service vpn
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 11.11.11.11 255.255.255.224 secondary
ip address 11.11.11.10 255.255.255.224
no ip redirects
ip nat outside
ip nat pool natpool1 11.11.11.11 11.11.11.11 prefix-length 27
ip nat inside source list global-list pool natpool1 vrf 17 match-in-vrf overload
and central policy for matching traffic
from-vsmart data-policy _VPN-17_nat-for-vpn17
direction from-service
vpn-list VPN-17
sequence 1
match
source-ip 192.168.200.0/24
action accept
nat pool 1
default-action accept
When I run icmp check it wasn't successfully but I can see nat session
east-gw# ping vrf 17 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
east-gw#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 11.11.11.11:22 192.168.200.1:22 8.8.8.8:22 8.8.8.8:22
Total number of translations: 1
what's the problem with my config?
Solved! Go to Solution.
03-28-2023 02:08 AM
Hm.. I wanted to bring my config from legacy to sdwan. At first I tried to do it via dia nat and you've asked me that it isn't work because nat dia in sdwan has restriction (https://community.cisco.com/t5/sd-wan-and-cloud-networking/nat-via-secondary-ip-on-sdwan-edge-or-service-side-nat/m-p/4802480#M5580)
and after I tried to do it via "Service Side NAT overload" but it is used for overlay traffic only, for internet traffic - underlay you need DIA.
I think we will stay in non-sdwan environment because for us it requirement - use different ip for nat on one interface
03-27-2023 02:02 PM
Hi,
ensure that remote site receives NAT pool as route (maybe you have centralized policy which filters).
11.11.11.11 11.11.11.11 prefix-length 27 >> this matches 11.11.11.0/27 , check in vSmart for route sh omp routes 11.11.11.0/27
and check on remote routes.
Without proper return route, remote site can not know how to forward traffic which is destined to 11.11.11.11 (in return traffic).
03-27-2023 09:03 PM
Hm, maybe it's problem, vSmart under nat (PAT) and it can't reach secondary ip on sdwan devices, I have no idea why.. vSmart can reach any legacy devices with secondary ip but not when devices work as part of sdwan fabric
in my test lab i can see nat translations for Example
vSmart is pinging main ip address 11.11.11.10 and it looks normal
vSmart1# ping 11.11.11.10
Ping in VPN 0
PING 11.11.11.10 (11.11.11.10) 56(84) bytes of data.
64 bytes from 11.11.11.10: icmp_seq=1 ttl=250 time=2.03 ms
64 bytes from 11.11.11.10: icmp_seq=2 ttl=250 time=1.77 ms
On my nat device for vSmarts
asr#sh ip nat translations | i 11.11.11.10
icmp 10.10.10.10:6 192.168.1.220:6 11.11.11.10:6 11.11.11.10:6
On my sdwan device with ip 11.11.11.10 I shouldn't see nat for this IP, but I see (Is it normal for sdwan???)
east-gw#sh ip nat translations | i 10.10.10.10
icmp 11.11.11.10:6 11.11.11.10:6 10.10.10.10:6 10.10.10.10:6
vSmart is pinging main ip address 11.11.11.11
On my nat device for vSmarts
asr#sh ip nat translations | i 11.11.11.11
icmp 10.10.10.10:7 192.168.1.220:7 11.11.11.11:7 11.11.11.11:7
On my sdwan device with ip 11.11.11.11 which set as secondary ip I can see nat translation through main IP 11.11.11.10
east-gw#sh ip nat translations | i 10.10.10.10
icmp 11.11.11.10:7 11.11.11.11:7 10.10.10.10:7 10.10.10.10:7
03-27-2023 09:18 PM
Yes, When I disable nat outside on the uplink interface which has secondary IP vSmart can reach secondary IP, and after enable nat vSmart can reach only main ip.....
03-28-2023 01:12 AM
Yes, it can be due to NAT when self-generated packet passes NAT.
To fix your problem, could you explain what do you want to archive (better with topology picture). Is it IA NAT you want to configure or service-side NAT (don't confuse service-side NAT keyword, it is used for overlay traffic only, for internet traffic - underlay you need DIA).
03-28-2023 02:08 AM
Hm.. I wanted to bring my config from legacy to sdwan. At first I tried to do it via dia nat and you've asked me that it isn't work because nat dia in sdwan has restriction (https://community.cisco.com/t5/sd-wan-and-cloud-networking/nat-via-secondary-ip-on-sdwan-edge-or-service-side-nat/m-p/4802480#M5580)
and after I tried to do it via "Service Side NAT overload" but it is used for overlay traffic only, for internet traffic - underlay you need DIA.
I think we will stay in non-sdwan environment because for us it requirement - use different ip for nat on one interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide