NAT on Nexus 9K

mehtaamitm1 · ‎12-01-2023

Hi,

I have 2 nexus 9K in vpc. I want to nat traffic originating from vlan 192.168.254.0/24 toward 192.168.5.22 and 192.168.5.23

192.168.5.22 and 192.168.5.23 IP's are behind 192.168.8.193

Any traffic going towards 192.168.5.22 and 192.168.5.23 IP's should get natted via 192.168.8.194.

192.168.8.194 is directly connected to 192.168.8.193 via leased line

The vlan configs are given below.

interface Vlan47
description "Farm 1"
no shutdown
no ip redirects
ip address 192.168.254.252/24
no ipv6 redirects
hsrp 19
preempt
priority 200
ip 192.168.254.254

interface Vlan1120
description CH_VLAN
no shutdown
no ip redirects
ip address 192.168.8.196/24
no ipv6 redirects
hsrp version 2
hsrp 1120
priority 200
ip 192.168.8.194

I want suggestion on whether below config is optimal or the config can be improved.

ip nat outside source static 192.168.5.22 192.168.8.194 add-route

ip nat outside source static 192.168.5.23 192.168.8.194 add-route

Any suggestions or examples will be highly appreciated.

Regards..

balaji.bandi · ‎12-01-2023

If they are running vPC and you are using HSRP on 2 nexus VLAN

The question here is we understand source traffic from vlan 47 ?

but destination traffic what VLAN ? is this VLAN inside Nexus ? that picture is not clear here.

you can refer below guide :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/interfaces/configuration/guide/b-cisco-nexus-9000-nx-os-interfaces-configuration-guide-93x/b-cisco-nexus-9000-nx-os-interfaces-configuration-guide-93x_chapter_01011.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mehtaamitm1 · ‎12-01-2023

Hi Balaji,

Thank you for the revert. To answer your question.

The source traffic will be generated from VLAN 47 192.168.254.0/24

The other vlan 1120 with IP address 192.168.8.192/28 ---> Subnet is given by ISP

192.168.8.194 is my end IP address on nexus and 192.168.8.193 is far end IP address which is connected to nexus via leased line.

The IP 192.168.5.22 and 192.168.5.23 are at far end behind 192.168.8.193.

The motive is, when traffic is generate from 192.168.254.0/24 vlan towards 192.168.5.22 or 23 it should get natted via 192.168.8.194 HSRP IP of vlan 1120. Hope i am making senses.

balaji.bandi · ‎12-02-2023

Never tested this to be honest

you need to change the interface inside and outside on the interface to test it (or do testing in Lab before you roleout in real environment)

the document has some steps which should work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎12-03-2023

Hello

@mehtaamitm1 wrote:

I have 2 nexus 9K in vpc. I want to nat traffic originating from vlan 192.168.254.0/24 toward 192.168.5.22 and 192.168.5.23
192.168.5.22 and 192.168.5.23 IP's are behind 192.168.8.193
Any traffic going towards 192.168.5.22 and 192.168.5.23 IP's should get natted via 192.168.8.194.

Allow based on your OP, you should be able to utilise an extended access-list to accomplish this with Statefull NAT (or now called box-to-box nat) however it seems the N9k does not support it (Stateful NAT is not supported. However, NAT and Hot Standby Router Protocol (HSRP) can coexist)

Can you try the following for your nat, So traffic from that specific subnet towards those to hosts should be translated and any other traffic to any other hosts will route untranslated

example:
access-list 100 permit ip 192.168.254.0 0.0.0.255 host 192.168.5.22
access-list 100 permit ip 192.168.254.0 0.0.0.255 host 192.168.5.23
ip nat inside source list 100 interface Vlan1120 overload

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul