Re: Static 1to1 NAT on cEdge

gilbert.aispuro1 · ‎07-15-2020

I've had a ticket open with Cisco for the past month and they've been beating around the bush on this matter.

I simply want a Service side server to be accessible from the outside using an IP from the block the ISP assigned to me. I won’t be using any type of Port translation, just a basic 1 to 1 static NAT that is commonly used on a router.

Goal #1
INBOUND: Third Party Vendor needs access to Branch server from outside, no s2s VPN. Branch Server will be reachable via ISP1 at 11.11.11.33 from outside. cEdge will translate those Destination packets from 11.11.11.33 to 192.168.1.1.

Goal #2
OUTBOUND: The cEdge will Responed back and translate the Source IP from 192.168.1.1 to 11.11.11.33. I haven't tested anything yet but would like to know if anyone out there has got this up and going.

See attached diagram for better understanding.

brselzer · ‎07-15-2020

Hello,

Make sure you are running 17.2.1 or later. If so, try this:

ip nat inside source list nat-dia-vpn-hop-access-list interface [WAN Interface] overload <----Required

ip nat inside source static 192.168.1.1 11.11.11.33 vrf [vrf server is in] egress-interface [WAN Interface] <----Static nat statement

You will need a route in the vrf pointing back to global:

ip nat route vrf [vrf of server] 11.11.11.33 255.255.255.255 global <---Route in VRF routing traffic back to the global VRF for egress trafffic

You will also need NAT enabled on your interface:

interface [wan interface]
ip nat outside

This is working for me in my lab. You can also do this in the vmanage under the interface if you prefer to use a template. Hope that helps!

-Bradley Selzer
CCIE# 60833

gilbert.aispuro1 · ‎07-21-2020

I understand how to NAT, especially with CLI. I'm looking for a vManage walkthrough, since all my appliances are vManaged.

Thanks.

brselzer · ‎07-23-2020

Hello,

There are two ways you can do it in vmanage:

1) cEdges have a "CLI addon" template that you can use and just copy/paste the config from above into.

2) Under the interface template, there is a NAT section you would use.

Attached a screenshot of both if it helps. Just take the values from the CLI and enter it in this second of the template.

Hope that helps!

-Bradley Selzer
CCIE# 60833

alex.fritzsche · ‎08-05-2020

Hi,

it only works for us with CLI Addon Template.

With vManage the configuration is always deployed wrong e.g.:

ip nat inside source static 172.16.1.20 45.67.12.3 egress-interface GigabitEthernet0/0/0

but it has to be:
ip nat inside source static 172.16.1.20 45.67.12.3 vrf 10 egress-interface GigabitEthernet0/0/0

gilbert.aispuro1 · ‎08-05-2020

Yeah, I figured this was the case. Thanks

I also just got word back from Cisco that this is STILL not supported and that they do not have an ETA.
I think this a bit ridiculous since SD-WAN is supposed to be an AIO solution and this is a basic config request.

Disappointed by this.

HashamM · ‎08-05-2020

In Interface template of interface in VPN 0, change VPN for static NAT route to Service VPN. That will give you
ip nat inside source static 172.16.1.20 45.67.12.3 vrf 10 egress-interface GigabitEthernet0/0/0

Then in Service VPN template, configure IPv4 static route with Gateway set to VPN and Enable VPN to On

ip nat route vrf 10 45.67.12.3 255.255.255.255 global

alex.fritzsche · ‎08-05-2020

Hi Hasham,

thanks that is right - it works. I first thought it only works direction VPN0-in.

But anyway for Port Translation or to use the "extendable" keyword you still need CLI Addon Template,

which is annoying, as that are all basics.