Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
5
Replies

Service Side NAT overload doesn't work

Go to solution
dijix1990
VIP
VIP

‎03-27-2023 04:53 AM - edited ‎03-27-2023 04:54 AM

I did this config for nat overload in service vpn

interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 11.11.11.11 255.255.255.224 secondary
ip address 11.11.11.10 255.255.255.224
no ip redirects
ip nat outside

ip nat pool natpool1 11.11.11.11 11.11.11.11 prefix-length 27
ip nat inside source list global-list pool natpool1 vrf 17 match-in-vrf overload

and central policy for matching traffic

from-vsmart data-policy _VPN-17_nat-for-vpn17
direction from-service
vpn-list VPN-17
sequence 1
match
source-ip 192.168.200.0/24
action accept
nat pool 1
default-action accept

When I run icmp check it wasn't successfully but I can see nat session

east-gw# ping vrf 17 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

east-gw#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 11.11.11.11:22 192.168.200.1:22 8.8.8.8:22 8.8.8.8:22
Total number of translations: 1

what's the problem with my config?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dijix1990
VIP
VIP
In response to Kanan Huseynli

‎03-28-2023 02:08 AM

Hm.. I wanted to bring my config from legacy to sdwan. At first I tried to do it via dia nat and you've asked me that it isn't work because nat dia in sdwan has restriction (https://community.cisco.com/t5/sd-wan-and-cloud-networking/nat-via-secondary-ip-on-sdwan-edge-or-service-side-nat/m-p/4802480#M5580)

and after I tried to do it via "Service Side NAT overload" but  it is used for overlay traffic only, for internet traffic - underlay you need DIA. 

I think we will stay in non-sdwan environment because for us it requirement - use different ip for nat on one interface

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kanan Huseynli
VIP
VIP

‎03-27-2023 02:02 PM

Hi,

ensure that remote site receives NAT pool as route (maybe you have centralized policy which filters).

11.11.11.11 11.11.11.11 prefix-length 27  >> this matches 11.11.11.0/27 , check in vSmart for route sh omp routes 11.11.11.0/27

and check on remote routes.

Without proper return route, remote site can not know how to forward traffic which is destined to 11.11.11.11 (in return traffic).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
dijix1990
VIP
VIP
In response to Kanan Huseynli

‎03-27-2023 09:03 PM

Hm, maybe it's problem, vSmart under nat (PAT) and it can't reach secondary ip on sdwan devices, I have no idea why.. vSmart can reach any legacy devices with secondary ip but not when devices work as part of sdwan fabric

in my test lab i can see nat translations for Example

vSmart is pinging main ip address 11.11.11.10 and it looks normal

vSmart1# ping 11.11.11.10
Ping in VPN 0
PING 11.11.11.10 (11.11.11.10) 56(84) bytes of data.
64 bytes from 11.11.11.10: icmp_seq=1 ttl=250 time=2.03 ms
64 bytes from 11.11.11.10: icmp_seq=2 ttl=250 time=1.77 ms


On my nat device for vSmarts

asr#sh ip nat translations | i 11.11.11.10
icmp 10.10.10.10:6 192.168.1.220:6 11.11.11.10:6 11.11.11.10:6


On my sdwan device with ip 11.11.11.10 I shouldn't see nat for this IP, but I see (Is it normal for sdwan???)

east-gw#sh ip nat translations | i 10.10.10.10
icmp 11.11.11.10:6 11.11.11.10:6 10.10.10.10:6 10.10.10.10:6


vSmart is pinging main ip address 11.11.11.11

On my nat device for vSmarts

asr#sh ip nat translations | i 11.11.11.11
icmp 10.10.10.10:7 192.168.1.220:7 11.11.11.11:7 11.11.11.11:7


On my sdwan device with ip 11.11.11.11 which set as secondary ip I can see nat translation through main IP 11.11.11.10

east-gw#sh ip nat translations | i 10.10.10.10
icmp 11.11.11.10:7 11.11.11.11:7 10.10.10.10:7 10.10.10.10:7

 

0 Helpful

Go to solution
dijix1990
VIP
VIP

‎03-27-2023 09:18 PM

Yes, When I disable nat outside on the uplink interface which has secondary IP vSmart can reach secondary IP, and after enable nat vSmart can reach only main ip.....

0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP

‎03-28-2023 01:12 AM

Yes, it can be due to NAT when self-generated packet passes NAT.

To fix your problem, could you explain what do you want to archive (better with topology picture). Is it IA NAT you want to configure or service-side NAT (don't confuse service-side NAT keyword, it is used for overlay traffic only, for internet traffic - underlay you need DIA).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
dijix1990
VIP
VIP
In response to Kanan Huseynli

‎03-28-2023 02:08 AM

Hm.. I wanted to bring my config from legacy to sdwan. At first I tried to do it via dia nat and you've asked me that it isn't work because nat dia in sdwan has restriction (https://community.cisco.com/t5/sd-wan-and-cloud-networking/nat-via-secondary-ip-on-sdwan-edge-or-service-side-nat/m-p/4802480#M5580)

and after I tried to do it via "Service Side NAT overload" but  it is used for overlay traffic only, for internet traffic - underlay you need DIA. 

I think we will stay in non-sdwan environment because for us it requirement - use different ip for nat on one interface

0 Helpful
Customers Also Viewed These Support Documents