Solved: NAT on Nexus 9k

LakshmiYarra14649 · ‎02-19-2020

Hi,

I am trying to get NAT to work on Nexus9000 C9336C-FX2. Below is the config I have.

ip access-list NAT_ADDRS
10 permit ip 192.168.30.0/24 any ( tried this command with icmp instead of ip)

!

ip nat pool NAT_POOL 10.0.0.1 10.0.0.63 prefix-length 24
ip nat inside source list NAT_ADDRS pool NAT_POOL

!

interface Vlan3
no shutdown
ip address 192.168.30.1/24
ip nat inside

!

interface Ethernet1/33/1
lldp tlv-set vlan 1
ip address 192.168.5.1/24
ip policy route-map MAP_PREFIXES_TO_BLOCK
ip nat outside
no shutdown

I have a default route:

leaf-0(config)# show ip route
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

0.0.0.0/0, ubest/mbest: 1/0
*via 192.168.5.2, Eth1/33/1, [1/0], 19:46:23, static

I am generating NAT traffic using ping:

leaf-0(config)# ping 72.30.35.9 source 192.168.30.1
PING 72.30.35.9 (72.30.35.9) from 192.168.30.1: 56 data bytes
64 bytes from 72.30.35.9: icmp_seq=0 ttl=48 time=71.042 ms
64 bytes from 72.30.35.9: icmp_seq=1 ttl=48 time=70.947 ms

packets captured out of the leaf-0 are not NATed:

17:43:35.876401 IP (tos 0x0, ttl 255, id 63792, offset 0, flags [none], proto ICMP (1), length 84)
192.168.30.1 > media-router-fp1.prod1.media.vip.bf1.yahoo.com: ICMP echo request, id 10000, seq 768, length 64
17:43:35.946592 IP (tos 0x0, ttl 49, id 55723, offset 0, flags [none], proto ICMP (1), length 84)
media-router-fp1.prod1.media.vip.bf1.yahoo.com > 192.168.30.1: ICMP echo reply, id 10000, seq 768, length 64

Any ideas why NAT is not working?

thanks

paul driver · ‎02-20-2020

Hello

What is the policy route perfoming?
If you are PBR to anohter interface other than the nat outside domain interface it wont work, also you need to generate traffic from a host inside the network for nat to work and not from the switch itself.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

marce1000 · ‎02-20-2020

- Have a look at the overview document below ; make sure for instance feature nat is enabled :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0110...

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

paul driver · ‎02-20-2020

Hello

What is the policy route perfoming?
If you are PBR to anohter interface other than the nat outside domain interface it wont work, also you need to generate traffic from a host inside the network for nat to work and not from the switch itself.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

LakshmiYarra14649 · ‎02-20-2020

Thanks for the response Paul.

It turns out that traffic has to be from external host into the switch for NAT to happen.

PBR is blocking some other traffic, not the traffic matching NAT.

I am noticing problem on the reverse direction i.e traffic NAT-ed traffic (ICMP echo reply) coming into switch. For some reason, reply messages are getting punted up the CPU and getting dropped. THey should have been reverse NAT-ed and routed in the ASIC itself. And the stats indicate that sw is dropping packets.

leaf-0# show ip nat statistics

IP NAT Statistics

====================================================

----------------------------------------------------

Total Hits: 51 Total Misses: 0

In-Out Hits: 0 In-Out Misses: 0

Out-In Hits: 51 Out-In Misses: 0

----------------------------------------------------

Total SW Translated Packets: 0

In-Out SW Translated: 0

Out-In SW Translated: 0

----------------------------------------------------

Total SW Dropped Packets: 51

In-Out SW Dropped: 0

Out-In SW Dropped: 51

Any ideas how to debug this?

TCP dump on the outside interface:

[admin@guestshell ~]$ sudo tcpdump -vv -i Eth1-33-1 icmp

tcpdump: listening on Eth1-33-1, link-type EN10MB (Ethernet), capture size 65535 bytes

08:47:15.083524 IP (tos 0x0, ttl 50, id 567, offset 0, flags [DF], proto ICMP (1), length 84)

98.138.219.231 > 30.0.0.15: ICMP echo reply, id 17310, seq 48, length 64

08:47:16.107546 IP (tos 0x0, ttl 50, id 22589, offset 0, flags [DF], proto ICMP (1), length 84)

98.138.219.231 > 30.0.0.15: ICMP echo reply, id 17310, seq 49, length 64

08:47:17.131526 IP (tos 0x0, ttl 50, id 45123, offset 0, flags [DF], proto ICMP (1), length 84)