05-23-2024 03:25 PM
I've been tasked with setting up a new Catalyst 8000 to connect to a vendor through a vpn tunnel. We will have two tunnels configured with BGP and using NAT'd IPs to connect to his network. Vendor confirms both tunnels are up and he sees our advertised route (the NAT) and I see his routes added to my side and the "best" route added to my ip route table. I'm able to ping his side of the tunnel, but I'm unable to ping the test host. Looking at the nat translations table I never see the host added as I would expect.
UUSERCNCSR03#sho ip route
Gateway of last resort is 10.28.133.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.28.133.1
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.28.132.128/25 is directly connected, GigabitEthernet3
L 10.28.132.134/32 is directly connected, GigabitEthernet3
C 10.28.133.0/24 is directly connected, GigabitEthernet1
L 10.28.133.6/32 is directly connected, GigabitEthernet1
100.0.0.0/30 is subnetted, 1 subnets
S 100.80.115.32 is directly connected, Null0
167.16.0.0/25 is subnetted, 1 subnets
B 167.16.0.0 [20/0] via 169.254.9.42, 02:30:09
168.63.0.0/32 is subnetted, 1 subnets
S 168.63.129.16 [254/0] via 10.28.133.1
169.254.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 169.254.9.42/31 is directly connected, Tunnel500
L 169.254.9.43/32 is directly connected, Tunnel500
C 169.254.40.234/31 is directly connected, Tunnel600
L 169.254.40.235/32 is directly connected, Tunnel600
S 169.254.169.254/32 [254/0] via 10.28.133.1
UUSERCNCSR03#sho ip bgp
Network Next Hop Metric LocPrf Weight Path
*> 100.80.115.32/30 0.0.0.0 0 32768 i
*> 167.16.0.0/25 169.254.9.42 0 27160 4200017140 4200017142 65355 4200005845 4200005850 i
* 170.186.194.23 0 27160 4200017340 4200017342 65355 4200005845 4200005850 i
I've added what I think it the pertinent configurations below.
Vendor has two endpoints that I've setup with Tunnel500 and Tunnel600
05-23-2024 04:44 PM
Hello,
Have you configured a NAT inside and a NAT outside interface so the device knows where to make the translations? I didnt see it in the config?
ip nat inside/outside
-David
05-23-2024 04:46 PM
05-23-2024 05:50 PM
There are aspects of your environment that I do not understand, and perhaps the solution is in one of those things. But it seems to me that your ip nat outside is assigned to GigabitEthernet1. That is the source address for the tunnel. But it is not the exit point for the tunnel. So it never recognizes that the traffic needs to be translated.
05-24-2024 03:57 PM
Hi Richard. Thank you for taking a look. Is there a log or configuration I can put in place to verify the traffic is or is not exiting the tunnel?
05-24-2024 04:04 PM
you need to NAT traffic to tunnel IP but the IP I see in NAT pool is not Tunnel IP
also you dont config tunnel as ip nat outside
MHM
05-24-2024 04:33 PM
I believe you need to configure the outside interface on the tunnel as traffic is encapsulated before it exits the physical interface. Same applies with QoS as there is a command to apply interface QoS config to a tunnel interface using it as a source.
That and make sure your NAT POOL is suing a pool of addresses reachable from the other side.
-David.
05-24-2024 06:35 PM - edited 05-24-2024 07:10 PM
Hi @mark-rodgers ,
In addition to all the excellent suggestions that have been made so far, I would add that you should use the default next hop address (eBGP peering address) for the BGP updates received from Dallas and Chicago as you want the traffic to traverse the tunnels. There is no need to explicitly set it like you do for Chicago, as it is the default anyway. You should remove the inbound route-map for both Chicago and Dallas.
Regards,
05-28-2024 01:28 PM
05-28-2024 05:14 PM - edited 05-28-2024 05:17 PM
Hi @mark-rodgers ,
As others have suggested, you need to apply the "ip nat inside" and "ip nat outside" to the right interfaces.
The "ip nat inside" needs to be configured on the ingress L3 interface, not on VirtualPortGroup0, which has no ip address.
The "ip nat outside" needs to be applied to the tunnel interfaces (tu500 and tu600), not the physical interfaces (gig1 and gig3).
Regards,
05-28-2024 06:08 PM
Thank you Harold. You mention L3. I don't have a loopback configured. Do I need one? And theVirtualPortGroup0 was a holdover from something else. I removed it.
05-28-2024 08:22 PM - edited 05-29-2024 04:32 AM
Hi @mark-rodgers ,
> I don't have a loopback configured. Do I need one?
No, you don't. The ingress L3 interface I am referring to is the interface through which the IP traffic destined to the test host will arrive. This is the interface that requires the "ip nat inside".
Regards,
05-29-2024 04:49 AM
Do I need LO? This Q is important here
As I understand you get one public IP from SP and you must use it for all your network behind tunnel?
If that correct then
Config LO with public IP and NAT the traffic to this LO.
You need also PBR to redirect traffic to LO to NAT the it will go through tunnel.
If you can use this public IP as tunnel IP then that better and ypu dont need LO interface
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide