Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
1
Replies

Static 1:1 NAT cEdge - Post 17.3.1a

swilke318
Level 1
Level 1

‎02-10-2022 10:25 AM

It appears Cisco has changed how basic 1:1 Static NAT works post 17.3.1a. I have a working setup based on another community discussion > Static 1to1 NAT on cEdge - Cisco Community.  The working cEdge is on 17.3.1a with externally accessible services with 1:1 NAT enabled and ZBFW rules.  With that same configuration on any version 17.3.4a (suggested release) or later I cannot get any open ports to respond externally.

 

Has anyone else configured a successful basic 1:1 NAT on the new releases.  This wouldn't be a problem but the router on 17.3.1a is hitting a bug and I can't push ANY changes to it.  I can't upgrade because I lose working static NAT. 

I tried to follow the Cisco SD-WAN NAT Configuration Guide, Cisco IOS XE Release 17.x - Configure NAT [Cisco SD-WAN] - Cisco but I'm not sure what I'm doing wrong here.  From everything I'm reading a simple static NAT on the Cisco VPN Ethernet Interface now requires configuration on the Cisco VPN service side template with NAT Pool, Static NAT, and properly configured central policy?

Working Site
ip nat inside source static 192.168.205.250 11.11.11.33 vrf 10 egress-interface GigabitEthernet0/0/0
ip nat inside source static 192.168.206.7 11.11.11.34 vrf 10 egress-interface GigabitEthernet0/0/0
ip nat inside source static 192.168.206.4 11.11.11.35 vrf 10 egress-interface GigabitEthernet0/0/0
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/0 overload
ip nat route vrf 10 0.0.0.0 0.0.0.0 global

I appreciate any help on this one as I'm stumped. 


Labels:
0 Helpful
1 Reply 1

swilke318
Level 1
Level 1

‎03-24-2022 07:45 AM

In case anyone else runs into this, the functionality was brought back in 17.6.2 (Possibly 17.6.1a).   It requires a ZBFW Rule with Outside > Service VPN zone pair as well as the Static NAT config on the VPN 0 (Outside) Cisco VPN Interface Ethernet. 

Previous to that in 17.2.1-17.3.1a, this required a ZBFW of Service to Service VPN with your outside to inside rule.  It was an odd setup but I can confirm it worked.   From 17.3.1a-17.6, NAT worked but traffic was knocked down somewhere in the ZBFW.  This was confirmed with Cisco TAC. 

 

 


 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card