01-04-2013 11:34 PM - edited 03-07-2019 10:54 AM
Hi all,
Please Can any one help me understand this concept...
Let me show you the scenario
one MPLS connection from ISP coming to my router and from my router to DMZ servers
i have to connect to the Remote server to my DMZ server
The ISP gave me the details of BGP to configure
now what i have to do to Route my private network to the remote servers...
i performed NAT on my router to go through the ISP Connection.....now i can ping to ISP gateway and can see all the router in #sh bgp table
is it correct or i have to directly forward the traffic of Internal Network to ISP through BGP................or
Do i have to Create Tunnels ..if Tunnels are required then what i have to Know from the Remote Office
Many many Thanks in advance
Solved! Go to Solution.
01-05-2013 05:56 AM
Do you have 1 site that has an mpls circuit and the other does not, or do they go into the same provider and mpls on both sides? If you have mpls on both sides through the same provider, it should be as easy as peering with the provider with bgp on both sides and then advertising your internal subnets. If you have the public internet between you, you'll need to creat lan-to-lan tunnels between the two routers. Here's a guide to help you do that:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
HTH,
John
*** Please rate all useful posts ***
01-05-2013 07:30 AM
You need to check if you have a route in your routing table for 10.16.21.x (show ip route | i 10.16.21.) If you don't, you'll need a tunnel or a route. There's no way around that.
If you have a route in your routing table already, I'm assuming that your address that they want to see you coming in as is 10.11.19.43? Is the server that you're coming from on 10.10.10.28? If so, you'll configure nat in this way:
ip nat pool Nat 10.11.19.43 10.11.19.43 netmask 255.255.255.0
ip nat inside source route-map NatToOtherSide pool Nat
access-list 100 permit ip host 10.10.10.28 host 10.16.21.206
route-map NatToOtherSide permit 10
match ip address 100
When your server (10.10.10.28) sends traffic to host 10.16.21.206 (based off of destination address above), it will nat to that address. You can further tie this down to the port as well:
access-list 100 permit tcp host 10.10.10.28 host 10.16.21.206 eq 5775
HTH,
John
*** Please rate all useful posts ***
01-05-2013 04:44 PM
This route map doesn't need a set statement because it's being used for natting. I'm unclear as to what ip address they're using on the other side. Is the destination address that you're supposed to go to 10.16.21.206? Again, if they're not on the same mpls network, you'll probably need to use tunnels to get your two subnets to talk to each other. You should get in touch with them to find out if you'll need a tunnel.
HTH,
John
*** Please rate all useful posts ***
01-06-2013 05:35 AM
I'm not understanding who is who You said that you have a route for 10.11.49.x. Can you post "show ip route 10.11.19.43"? Also, do they own they have the 10.16.21.206 address or is that one yours? Let's assume that they are in the same ISP, it doesn't mean that they're in the same vrf which would require the isp to configure interaction between your companies (import/export of routes between vrfs).
HTH,
John
*** Please rate all useful posts ***
01-07-2013 06:54 AM
A null route is:
ip route
So, in your case would be:
ip route 10.16.21.206 255.255.255.255 null0
Then, in bgp:
router bgp 100
network 10.16.21.206 mask 255.255.255.255
HTH,
John
*** Please rate all useful posts ***
01-08-2013 04:51 AM
Null0 gives you a static route to advertise. BGP needs an existing route to be in the routing table before it can advertise it to other peers. The purpose for it in this scenario is that you're natting to an address that is nowhere on your router. The static route allows for the route to be put into the table and let bgp use it. When bgp advertises it, it will show that the 10.16.21.206 comes from your AS and will let everyone upstream know how to get to this address. Technically, I guess you could create a loopback with the ip on there and nat out as that addres but I'd have to lab that up.
I attached the diagram for you to review...
R3 192.168.1.1 is natted out as 10.10.10.10. R1 has natting configured, but doesn't hold that ip anywhere:
R1:
ip nat inside source static tcp 192.168.1.2 80 10.10.10.10 80 extendable
R1#sh ip route 10.10.10.10
% Network not in table
R1#
On R2, it doesn't exist either:
R2#sh ip route 10.10.10.10
% Network not in table
R2#
I'll add the null route:
R1(config)#do sh run | inc ip route
ip route 10.10.10.10 255.255.255.255 Null0
R1(config)#
Is it in the routing table now?
R1(config)#do sh ip route 10.10.10.10
Routing entry for 10.10.10.10/32
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
So far so good...now let's advertise it in bgp:
R1#sh run | inc router bgp|10.10.10.10
router bgp 10
network 10.10.10.10 mask 255.255.255.255
It's showing in the bgp table:
R1#sh ip bgp regex ^$
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.0/24 0.0.0.0 0 32768 i
*> 10.10.10.10/32 0.0.0.0 0 32768 i
*> 172.20.20.0/30 0.0.0.0 0 32768 i
*> 192.168.1.0/30 0.0.0.0 0 32768 i
R1#
What about R2?
R2#sh ip route 10.10.10.10
Routing entry for 10.10.10.10/32
Known via "bgp 200", distance 20, metric 0
Tag 10, type external
Last update from 172.20.20.1 00:01:53 ago
Routing Descriptor Blocks:
* 172.20.20.1, from 172.20.20.1, 00:01:53 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 10
Okay, so we have the 10.10.10.10/32 route over at R2. Can it get to 10.10.10.10:80?
R2#telnet 10.10.10.10 80
Trying 10.10.10.10, 80 ... Open
Get / http/1.0
HTTP/1.1 401 Unauthorized
Date: Fri, 01 Mar 2002 00:20:54 GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15_access"
401 Unauthorized
[Connection to 10.10.10.10 closed by foreign host]
Yes it can....so your null route allows for you to basically advertise a route into bgp. There are other uses for null0 like summaries, but this is just to be able to get a route to advertise.
I also labbed up the loopback question and you should be able to do that as well:
R1(config-if)#do sh run int lo1
Building configuration...
Current configuration : 106 bytes
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
ip nat outside
ip virtual-reassembly
end
Same configuration for everything else, but you wouldn't have a static route to null0. Notice how I have "ip nat outside" on the loopback interface. That's because I want traffic to use this ip as outgoing. I still have the nat configuration on the router though:
R1#sh run | i ip nat inside source
ip nat inside source static tcp 192.168.1.2 80 interface Loopback1 80
R1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 10.10.10.10:80 192.168.1.2:80 --- ---
R1#
On R2:
R2#telnet 10.10.10.10 80
Trying 10.10.10.10, 80 ... Open
Sorry for such a long post In conclusion, you can use either one you wish; both seem to work fine.
HTH,
John
*** Please rate all useful posts ***
01-05-2013 05:53 AM
.......................
01-05-2013 05:56 AM
Do you have 1 site that has an mpls circuit and the other does not, or do they go into the same provider and mpls on both sides? If you have mpls on both sides through the same provider, it should be as easy as peering with the provider with bgp on both sides and then advertising your internal subnets. If you have the public internet between you, you'll need to creat lan-to-lan tunnels between the two routers. Here's a guide to help you do that:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
HTH,
John
*** Please rate all useful posts ***
01-05-2013 06:17 AM
Thankyou John.....
i don't know about the other side..as it is a govt organization server, i think they are connected to the same ISP ...
i think they are connected to hundereds of organization like us...so they don't want to create tunnels
..
now they gave the source and detination ip addresses to NAT to be able to connect to their server
now my prob is
1) i configured BGP and removed NAT
so how can i forward my private netowrk to other side , (static routes or internal routing)
2 ) they gave me source and destination ip address to NAT
now i am confused to which ip should i nat as inside to outside and outside to inside
Source IP Address | Destination IP Address | Service | Action |
10.11.19.43 | 10.16.21.206 | 5775/tcp | allow |
now i dont know what i have to do with this ip address....how to nat
01-05-2013 07:30 AM
You need to check if you have a route in your routing table for 10.16.21.x (show ip route | i 10.16.21.) If you don't, you'll need a tunnel or a route. There's no way around that.
If you have a route in your routing table already, I'm assuming that your address that they want to see you coming in as is 10.11.19.43? Is the server that you're coming from on 10.10.10.28? If so, you'll configure nat in this way:
ip nat pool Nat 10.11.19.43 10.11.19.43 netmask 255.255.255.0
ip nat inside source route-map NatToOtherSide pool Nat
access-list 100 permit ip host 10.10.10.28 host 10.16.21.206
route-map NatToOtherSide permit 10
match ip address 100
When your server (10.10.10.28) sends traffic to host 10.16.21.206 (based off of destination address above), it will nat to that address. You can further tie this down to the port as well:
access-list 100 permit tcp host 10.10.10.28 host 10.16.21.206 eq 5775
HTH,
John
*** Please rate all useful posts ***
01-05-2013 08:35 AM
Thank you Jhon
as you said i don't find any route for 10.16.21.206
but i found the route for 10.11.19.43
eventhough i configured the route map but i am unable to ping ......
does the above route-map needs "set" statement...
01-05-2013 04:44 PM
This route map doesn't need a set statement because it's being used for natting. I'm unclear as to what ip address they're using on the other side. Is the destination address that you're supposed to go to 10.16.21.206? Again, if they're not on the same mpls network, you'll probably need to use tunnels to get your two subnets to talk to each other. You should get in touch with them to find out if you'll need a tunnel.
HTH,
John
*** Please rate all useful posts ***
01-05-2013 09:55 PM
Thank you very much john...,
i am sure they are using the same ISP as we are...and the ip 10.16.21.206 is their test server IP address, we spoke to them but they are reluctent to create tunnels...
Source IP Address | Destination IP Address | Service | Action |
10.11.19.43 | 10.16.21.206 | 5775/tcp | allow |
what they are given is the above details .
the diagram is like below
please guide me to configure this.....
01-06-2013 05:35 AM
I'm not understanding who is who You said that you have a route for 10.11.49.x. Can you post "show ip route 10.11.19.43"? Also, do they own they have the 10.16.21.206 address or is that one yours? Let's assume that they are in the same ISP, it doesn't mean that they're in the same vrf which would require the isp to configure interaction between your companies (import/export of routes between vrfs).
HTH,
John
*** Please rate all useful posts ***
01-06-2013 06:04 AM
hi John.....
thanks for your reply
the information i got was wrong now i have to recongifure that whole....
the actual scenario is
we are hosting the server 10.10.10.28 and the remote org connecting to our server from 10.11.19.51
and they are forwarding the traffice from 10.11.19.51 to 10.16.21.206 and i created a loopback interface 10.16.21.206 on my router and advertized it through BGP and created natting for that on port 5775
i can from my server 10.10.10.28 to loopback and isp
but how can i know that the remote server are forwarding the routes to my loop back and i am getting the traffic on my server 10.10.10.28
this like 10.11.19.51 -------------->10.16.21.206----(NAT)------------>10.10.10.28
(loopback)
Please guide me
01-07-2013 03:55 AM
You can see if they can ping the address 10.16.21.206. If you're advertising it and they're on the same mpls network, they should have the 10.16.21.x subnet in their table (pending vrf import/export that the ISP may be doing). If they can ping it, then I would remove the address from the loopback and then static nat to that address:
ip nat inside source static tcp 10.10.10.28 5775 10.16.21.206 5775
Create a route to null0 and advertise that via BGP. They should still be able to get to it.
HTH,
John
*** Please rate all useful posts ***
01-07-2013 04:20 AM
Thankyou John i am already having the static nat
how to create route to null0
Pro Inside global Inside local Outside local Outside global
tcp 10.16.21.206:5775 10.10.10.28:5775 --- ---
--- 10.16.21.206 10.10.10.28 --- ---
but i am not able to ping the remote server 10.11.19.51 how can i know that the traffice they are sending for 10.16.21.226 natted and forwarding to my server 10.10.10.28
my router is 1941 does it support both incoming and outgoing taffic
01-07-2013 04:29 AM
Again, you need to see if they can get to your address that you're advertising. You could be doing this all for nothing and need to create vpn tunnels instead. Your router will work fine...
HTH,
John
*** Please rate all useful posts ***
01-07-2013 04:38 AM
Hi Jhon,
thankyou very much for your quick reply
yeah , the remote server is of govt org's so we cannot force them to create tunnels, already we asked them for tunnels but they are reluctent to create that now we have to do this.....
how to create route to null0
01-07-2013 06:54 AM
A null route is:
ip route
So, in your case would be:
ip route 10.16.21.206 255.255.255.255 null0
Then, in bgp:
router bgp 100
network 10.16.21.206 mask 255.255.255.255
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide