cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2374
Views
2
Helpful
10
Replies

Support for Port Forwarding with NAT DIA from 20.9.1

dijix1990
VIP
VIP

 

 

According to instruction 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book-xe-sdwan/configure-nat.html#port-forwarding-nat-dia

Before You Begin

  1. Configure and apply a data policy.
  2. Configure a Cisco VPN Interface Ethernet template or edit an existing Cisco VPN Interface Ethernet template.
  3. Configure interface overload mode. Interface overload mode is enabled by default.
  4. Configure a NAT pool.

And where do I have to configure nat overload and nat pool? Maybe can I do it via cli template? 

 

1 Accepted Solution

Accepted Solutions

Hi,

sorry I missed that topic is for port forwarding. You can configure it if you will specify outside IP address. If you want NAT configuration with interface (NAT to interface), then yes you need CLI template, because in interface template there is no such option:

KananHuseynli_3-1680755062431.png

 

Below is from my lab. VPN0 interface template:

KananHuseynli_0-1680754902923.png

NAT verification and actual NAT entry after telnet-ing.

KananHuseynli_2-1680754965064.png

From you last configuration only below line requires CLI template, rest of them can be configured on interface template:

ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet1 8443 vrf 1

Again, from my lab:

Interface template configured as normal (NAT enabled, dynamic NAT to pool with overload, port forwarding with different IP) and interface template which contains only :

KananHuseynli_4-1680755651249.png

Below is NAT entry and actual NAT entry when doing telnet to 8080 (forwarded to 80):

KananHuseynli_5-1680755664271.png

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

10 Replies 10

Hi,

NAT itself should be enabled on outside interface (in interface template). When you enable there is 3 options (interface, pool, loopback) with overload (for pool you may have overload "off" which results normal dynamic NAT, not PAT).

NAT pool is also created within interface template when you choose "pool" option.

KananHuseynli_0-1680718495056.png

But for service side NAT, you do configuration in respective service-side VPN template (in VPN0 template, no NAT config is supported).

KananHuseynli_1-1680718526413.png

Basically, use service-side VPN template for service-side NAT feature ; use VPN0 interface template for DIA feature.

To forward traffic through VPN0 NAT (DIA) you can configure centralized data policy (match ; set NAT VPN0) OR you can have NAT DIA route in your service-side VPN.

Note: if you manage devices via vManage, there is no configuration which is done via CLI. Everything is through vManage.

 

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Yes, I did it before, but refer new instruction (only from vmanage 20.9.1 and edge 17.9.1)

  1. Configure data policy (but doesn't say about which action set, nat pool or vpn 0)
  2. You should Enable nat interface (only overload) on the vpn0
  3. Configure nat pool (as we configured overload on the vpn 0 we can't perform it on the vpn 0), so it's on the service vpn
  4. Configure port forwarding on the vpn0 (because if we refer to instruction only there we have option "Source VPN ID"

And, we have cli example how we can perform it via cli feature

Configure Port Forwarding with NAT DIA Using a CLI Template

Minimum supported releases: Cisco IOS XE Release 17.9.1a, Cisco vManage Release 20.9.1

For more information on using CLI templates, see CLI Templates and CLI Add-On Feature Templates.

Configure ip nat outside on the WAN interface.

interface interface-type-number
 ip address dhcp
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
end

Configure interface overload mode on the WAN interface.

ip nat inside source list nat-acl interface interface-type-number overload

Configure NAT DIA port forwarding using an egress interface.

ip nat inside source static tcp ip-address port ip-address port vrf number egress-interface interface-type-number
ip nat inside source static tcp ip-address port interface interface-type-number port vrf number

The ip nat inside source static tcp ip-address port interface interface-type-number port vrf number command is an example of interface port forwarding, because you use an interface rather than an IP address in the port-forwarding rule.

Note 

Configure interface port forwarding using a CLI template only. You cannot configure interface port forwarding using a Cisco vManage feature template.

Here is a complete configuration example for configuring port forwarding with NAT DIA.

interface GigabitEthernet1
ip address 10.1.2.1 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
end

ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1 overload
ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet1 8443 vrf 1
ip nat inside source static tcp 192.168.1.100 80 10.1.2.10 80 vrf 1 egress-interface GigabitEthernet1 
ip nat inside source static tcp 192.168.1.100 22 10.1.2.20 2020 vrf 1 egress-interface GigabitEthernet1

Hi,

sorry I missed that topic is for port forwarding. You can configure it if you will specify outside IP address. If you want NAT configuration with interface (NAT to interface), then yes you need CLI template, because in interface template there is no such option:

KananHuseynli_3-1680755062431.png

 

Below is from my lab. VPN0 interface template:

KananHuseynli_0-1680754902923.png

NAT verification and actual NAT entry after telnet-ing.

KananHuseynli_2-1680754965064.png

From you last configuration only below line requires CLI template, rest of them can be configured on interface template:

ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet1 8443 vrf 1

Again, from my lab:

Interface template configured as normal (NAT enabled, dynamic NAT to pool with overload, port forwarding with different IP) and interface template which contains only :

KananHuseynli_4-1680755651249.png

Below is NAT entry and actual NAT entry when doing telnet to 8080 (forwarded to 80):

KananHuseynli_5-1680755664271.png

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Yeah, I checked too, maybe in future we can sent our traffic from different vpn's to internet via different pools...

dijix1990
VIP
VIP

interesting when I do this config I notice that ACL doesn't work

 

 

interface GigabitEthernet0/0/1.10
 encapsulation dot1Q 10
 ip address 11.11.11.1
 no ip redirects
 ip nat outside

ip access-list extended nat
1 permit ip 192.168.200.0 0.0.0.255 any
10 deny ip any any

ip nat pool ISP 11.11.11.11 11.11.11.11 prefix-length 27
ip nat inside source list nat pool ISP overload egress-interface GigabitEthernet0/0/1.10

 

 

  Very strange logic of sdwan, allows every network goes to internet despite ACL

based on the documentation, it seems that you can use different acls, but this is not the case

  1. Configure interface overload mode on the WAN interface.

    ip nat inside source list nat-acl interface interface-type-number overload

Hi,

there is no access-list in SD-WAN. If you want to selectively choose service-side user subnets, you should use centralized data policy (match/ action). In SD-WAN NAT configuration logic is a bit different. There is no access-list that we configure. If traffic is forwarded through transport (VPN) underlay interface with NAT enabled, then traffic is evaluated through NAT configuration.

Traffic can be forwarded via VPN0-NAT via 2 ways:

a) via centralized data policy pushed by vSmart (selectively)

b) via NAT DIA route (all are routed)

Regarding, below line. As I remember, it was supported on one of the releases or something else (I have never seen it when I pushed config from vmanage even qualified CLI commands does not have it).

ip nat inside source list nat-acl interface interface-type-number overload

The true command for NAT overload over interface is:

ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1 overload

For example, when I push change interface config from pool to physical interface NAT, true configuration is as below (at least 20.9.1 version works with it):

KananHuseynli_0-1680779270839.png

Hence, CLI command for NAT interface overload is :

 ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1 overload

Based on qualified CLI commands, it is supported in CLI.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/iosxe/qualified-cli-command-reference-guide/m-appendix.html

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Yes, in this command source list nat-dia-vpn-hop-access-list it's fake, we can use any of ACL, but it doesn't matter, ACL doesn't check in sdwan for nat

ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1 overload

 

on sd wan, nat is not flexible as in an legacy device, of course, we can use a centralized data transfer policy, where we can define a network pool and set the action "vpn 0", but we cannot send traffic from the service vpn via different pools ip address

I mean we can't divide our 100.100.100.1/24 for different clients

Gi1
ip nat outside
ip address 100.100.100.1/24
ip address 100.100.100.2/24 secondary
ip address 100.100.100.3/24 secondary

ip nat pool ONE 100.100.100.1 100.100.100.1 prefix-length 24
ip nat pool TWO 100.100.100.2 100.100.100.2 prefix-length 24
ip nat pool THREE 100.100.100.3 100.100.100.3 prefix-length 24


ip nat inside source list LIST-ONE pool ONE egress-interface GigabitEthernet1 overload
ip nat inside source list LIST-TWO pool TWO egress-interface GigabitEthernet1 overload
ip nat inside source list LIST-THREE pool THREE egress-interface GigabitEthernet1 overload

this is not suitable for the service provider

Hi,

exactly it is not so flexible right now. Time by time Cisco adds possibilities. Right now, for one transport interface you have one of the three choices, you can't have two or more (interface ; pool ; loopback). Multiple pool for the same interface is also not supported and so on.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Yeah and via pbr it doesn't work too

Hi, seems so. Made the tests myself. I suspect that PBR and ePBR are only working in regards of true SD-WAN overlay traffic (vpn0). Not on the underlay [physical] interface traffic.

Spoiler
To reproduce; 
I pinged the plain IP address on my pyhisical interface which is peering with our Transit Provider, so theoretically interface vpn0/transport. Even the integrated Packet Capture feature delivers empty pcap's. With no tunnels active whatsoever; the vpn0 capture stays silent.

Review Cisco Networking for a $25 gift card