Hi David. I should have included the interfaces. Here they are.

interface VirtualPortGroup0
no ip address
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address dhcp
no ip redirects
no ip unreachables
ip nat inside
negotiation auto
no mop enabled
no mop sysid

There are aspects of your environment that I do not understand, and perhaps the solution is in one of those things. But it seems to me that your ip nat outside is assigned to GigabitEthernet1. That is the source address for the tunnel. But it is not the exit point for the tunnel. So it never recognizes that the traffic needs to be translated.

Hi Richard. Thank you for taking a look. Is there a log or configuration I can put in place to verify the traffic is or is not exiting the tunnel?

you need to NAT traffic to tunnel IP but the IP I see in NAT pool is not Tunnel IP 

also you dont config tunnel as ip nat outside 

MHM

I believe you need to configure the outside interface on the tunnel as traffic is encapsulated before it exits the physical interface. Same applies with QoS as there is a command to apply interface QoS config to a tunnel interface using it as a source.

That and make sure your NAT POOL is suing a pool of addresses reachable from the other side.

-David.

 

Hi Harold. I was using an example https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/118977-config-ebgp-00.html where the route map is used to change the next hop to the interface rather than the tunnel. Removing the route map from both tunnels does get me into a state where the chosen route is being written to the ip table. So I do think what you propose is the correct configuration. I’m still unable to get to the host on the other side of the tunnel. Any advice on how to troubleshoot the flow and get the darn thing NAT’d is greatly appreciated.

UUSERCNCSR03#sho ip bgp
BGP table version is 5, local router ID is 169.254.40.235

Network Next Hop Metric LocPrf Weight Path
*> 100.80.115.32/30 0.0.0.0 0 32768 i
* 167.16.0.0/25 169.254.40.234 0 27160 4200017340 4200017342 65355 4200005845 4200005850 i
*> 169.254.9.42 0 27160 4200017140 4200017142 65355 4200005845 4200005850 i
* 204.194.133.0 169.254.40.234 0 27160 4200017340 4200017342 65355 4200005845 4200005850 i
*> 169.254.9.42 0 27160 4200017140 4200017142 65355 4200005845 4200005850 i
* 204.194.134.0 169.254.40.234 0 27160 4200017340 4200017342 65355 4200006839 4200006850 i
*> 169.254.9.42 0 27160 4200017140 4200017142 65355 4200006839 4200006850 i

UUSERCNCSR03#sho ip route
Gateway of last resort is 10.28.133.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.28.133.1
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.28.132.128/25 is directly connected, GigabitEthernet3
L 10.28.132.134/32 is directly connected, GigabitEthernet3
C 10.28.133.0/24 is directly connected, GigabitEthernet1
L 10.28.133.6/32 is directly connected, GigabitEthernet1
100.0.0.0/30 is subnetted, 1 subnets
S 100.80.115.32 is directly connected, Null0
167.16.0.0/25 is subnetted, 1 subnets
B 167.16.0.0 [20/0] via 169.254.9.42, 00:09:36
168.63.0.0/32 is subnetted, 1 subnets
S 168.63.129.16 [254/0] via 10.28.133.1
169.254.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 169.254.9.42/31 is directly connected, Tunnel500
L 169.254.9.43/32 is directly connected, Tunnel500
C 169.254.40.234/31 is directly connected, Tunnel600
L 169.254.40.235/32 is directly connected, Tunnel600
S 169.254.169.254/32 [254/0] via 10.28.133.1
B 204.194.133.0/24 [20/0] via 169.254.9.42, 00:09:36
B 204.194.134.0/24 [20/0] via 169.254.9.42, 00:09:36


UUSERCNCSR03#sho ip route 167.16.0.125
Routing entry for 167.16.0.0/25
Known via "bgp 4200009690", distance 20, metric 0
Tag 27160, type external
Last update from 169.254.9.42 00:02:08 ago
Routing Descriptor Blocks:
* 169.254.9.42, from 169.254.9.42, 00:02:08 ago
opaque_ptr 0x744EF0F55A30
Route metric is 0, traffic share count is 1
AS Hops 6
Route tag 27160
MPLS label: none

UUSERCNCSR03#sho ip bgp 167.16.0.0
BGP routing table entry for 167.16.0.0/25, version 2
Paths: (2 available, best #2, table default)
Advertised to update-groups:
7
Refresh Epoch 1
27160 4200017340 4200017342 65355 4200005845 4200005850, (received & used)
169.254.40.234 from 169.254.40.234 (10.100.10.1)
Origin IGP, localpref 100, valid, external
Community: 4227860054 4227860055 4227860059 4227865101 4227881032 4227882642 4227919442 4227920652
Extended Community: SoO:65355:55 RT:65355:9
rx pathid: 0, tx pathid: 0
Updated on May 28 2024 16:12:58 EDT
Refresh Epoch 1
27160 4200017140 4200017142 65355 4200005845 4200005850, (received & used)
169.254.9.42 from 169.254.9.42 (10.100.10.1)
Origin IGP, localpref 100, valid, external, best
Community: 4227860054 4227860055 4227860059 4227865101 4227879632 4227881032 4227919442 4227920652
Extended Community: SoO:65355:55 RT:65355:9
rx pathid: 0, tx pathid: 0x0
Updated on May 28 2024 16:12:58 EDT

Hi @mark-rodgers ,

As others have suggested, you need to apply the "ip nat inside" and "ip nat outside" to the right interfaces.

The "ip nat inside" needs to be configured on the ingress L3 interface, not on VirtualPortGroup0, which has no ip address.

  The "ip nat outside" needs to be applied to the tunnel interfaces (tu500 and tu600), not the physical interfaces (gig1 and gig3). 

Regards,

Thank you Harold. You mention L3.  I don't have a loopback configured.  Do I need one?  And theVirtualPortGroup0 was a holdover from something else.  I removed it.

Hi @mark-rodgers ,

> I don't have a loopback configured.  Do I need one?

No, you don't. The ingress L3 interface I am referring to is the interface through which the IP traffic destined to the test host will arrive. This is the interface that requires the "ip nat inside".

Regards,