Solved: NATing via a loopback interface...

jonmo2578 · ‎10-13-2011

Hi guys,

I would appreciate any hints or tips for a NAT set up I am trying to create.

I have been using the following doc ( NAT on a stick ) as reference. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

We currently have the following basic NAT setup on our VPN router to allow internal to get outside..

int f0/0

nat inside

int f0/1

nat outside

with a standard NAT statement ( below ) to match internal address and push it out of f0/1 ( which has a 81.x.x.x external ip ).

ip nat inside source list 102 interface FastEthernet0/1 overload

I am trying to set up an additional NAT translation on this box which will pick up internal addresses, NAT overload them to a 172.27.200.6/32 address before pushing it down an IPsec tunnel to a remote client network

My thinking is…. Create an access list to match our internal address going to remote network x.x.x.x

ip access-list extended Source_to_Destination

permit ip 10.0.0.0 0.255.255.255 host x.x.x.x

Then create a route map to match addresses to be NATed

route-map Tobe_NAT permit 10

match ip address Source_to_Destination

Apply this to the NAT statement.

ip nat inside source route-map Tobe_NAT interface Loopback1 overload

** As we are natting behind a /32, we cant seem to be able to point to a NAT pool in the statement above, so we created a Loopback1 interface and referenced to that..

interface Loopback1

ip address 172.27.200.6 255.255.255.255

ip nat outside

So we have…..sh ip nat stat

Outside interfaces:

FastEthernet0/1, Loopback1

Inside interfaces:

FastEthernet0/0

[Id: 1] access-list 102 interface FastEthernet0/1 refcount 3

[Id: 2] route-map SKYEPG_NAT interface Loopback1 refcount 0

Will the above config successfully match our internal addresses and NAT overload to 172.27.200.6 before sending it to the ipsec crypto map to be picked up.. or am I setting about this wrong ?..

Any tips or alternative methods would be much appreciated…

Many thanks.

Jon.

Jon Marshall · ‎10-13-2011

Jon

Try this config instead of route-map -

access-list 101 permit ip 10.0.0.0 0.255.255.255 host x.x.x.x

ip nat inside source list 101 pool NAT_POOL overload

Jon

View solution in original post

Jon Marshall · ‎10-13-2011

Jon

From memory, because i can't test at the moment you should be able to do -

ip nat pool 172.27.200.6 172.17.200.6 netmask 255.255.255.252

the netmask is just a check for the range of address you use ie. it makes sure you aren't using the subnet itself and that the address(es) you have entered are in the range.

So you shouldn't need to use a loopback, just configure with the above ip NAT pool.

Jon

jonmo2578 · ‎10-13-2011

Hi Jon..

Many thanks for your reply..

I have just tried re-entering with a NAT pool as you suggested above ( and removed the lo1 ).. Whilst it has taken it the statement as seen below..

VPN-1#sh ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended)

Outside interfaces:

FastEthernet0/1

Inside interfaces:

FastEthernet0/0

[Id: 1] access-list 102 interface FastEthernet0/1 refcount 3

[Id: 3] route-map Tobe_NAT pool NAT_POOL refcount 0

pool NAT_POOL: netmask 255.255.255.252

start 172.27.200.6 end 172.27.200.6

type generic, total addresses 1, allocated 0 (0%), misses 0

I still dont seem to seeing anything in ... sh ip nat translations... relating to the 172.27.200.6 translation being applied.. Have I missed anything else out ?..

Regards

Jon.

Jon Marshall · ‎10-13-2011

Jon

Try this config instead of route-map -

access-list 101 permit ip 10.0.0.0 0.255.255.255 host x.x.x.x

ip nat inside source list 101 pool NAT_POOL overload

Jon

jonmo2578 · ‎10-15-2011

Hi Jon,

Thanks again for your latest config recommendation above..

I have set up an access list as suggested, to match internal address going to the remote host and then NAT overload to the required 172.27.200.6 address..

access-list 103 permit ip 10.0.0.0 0.255.255.255 host 80.238.14.160

ip nat inside source list 103 pool NAT_POOL overload

ip nat pool NAT_POOL 172.27.200.6 172.27.200.6 netmask 255.255.255.252

Again, like the original route-map idea, this all seems to be logical in terms of how it should match and then NAT to the desired 172 address. However I am still not seeing any translations taking place despite "ip nat stat" showing that its there ( see Id.5 below )

VPN-1#sh ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended)

Outside interfaces:

FastEthernet0/1

Inside interfaces:

FastEthernet0/0

Hits: 1235315 Misses: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 102 interface FastEthernet0/1 refcount 3

[

Id: 5] access-list 103 pool NAT_POOL refcount 0

pool NAT_POOL: netmask 255.255.255.252

start 172.27.200.6 end 172.27.200.6

type generic, total addresses 1, allocated 0 (0%), misses 0

Pinging to the remote host does not show any entries in " sh ip nat translations " or even create any entries in logs when I enable " debug ip nat ".. So it seems that the NAT translation is still not working at all..

As seen above, we have an existing internal to external NAT setup ( id:1 ) which goes out of f0/1.. Could this be causing any issues ?

Jon Marshall · ‎10-16-2011

Can you post full NAT config + any related access-lists/route-maps.

Jon

jonmo2578 · ‎10-16-2011

Hi Jon,

Here are the two configs I have tried so far below.. Neither seem to produce any translations as discussed above..

I appreicate your help..

Regards

Jon....

************ATTEMPT 1******************

Matching to access list 103 then NAT overloading to Loopback interface 1 …

interface Loopback1

ip address 172.27.200.6 255.255.255.255

ip nat outside

!

interface FastEthernet0/0

ip address 10.73.11.235 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 81.20.48.92 255.255.255.224

ip nat outside

!

ip nat source list 103 interface Loopback1 overload

ip nat inside source list 102 interface FastEthernet0/1 overload

!

access-list 102 permit ip 10.0.0.0 0.255.255.255 host 193.36.81.53

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 permit ip 10.0.0.0 0.255.255.255 host 80.238.14.160

*********** ATTEMPT 2 ******************

Again, matching to access list 103 then NATTing to a Pool

interface FastEthernet0/0

ip address 10.73.11.235 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 81.20.48.92 255.255.255.224

ip nat outside

!

ip nat pool NAT_POOL 172.27.200.6 172.27.200.6 netmask 255.255.255.252

!

ip nat inside source list 102 interface FastEthernet0/1 overload

ip nat source list 103 pool NAT_POOL overload

!

access-list 102 permit ip 10.0.0.0 0.255.255.255 host 193.36.81.53

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 permit ip 10.0.0.0 0.255.255.255 host 80.238.14.160

Jon Marshall · ‎10-17-2011

Can you change -

ip nat source list 103 pool NAT_POOL overload

to

ip nat inside source list 103 pool NAT_POOL overload

also - can you do a "sh ip route 80.238.14.160"

finally does the remote end where the 80.238.14.160 device is know how to route back to 172.27.200.6 ?

Jon

jonmo2578 · ‎10-17-2011

Oops.. sorry that was a typo on my part last night as I couldnt get copy/paste to work !.. I can confirm that the entry on my router config is actually

ip nat inside source list 103 pool NAT_POOL overload

and not what I typed earlier ( sorry for any confusion )..

sh ip ro 80.238.14.160 provides the follow details...

As mentioned briefly in my original post, this is going over a IPsec tunnel to the remote peer which is 80.238.1.190 and has been redistributed back into ospf..

VPN-1#sh ip ro 80.238.14.160

Routing entry for 80.238.14.160/32

Known via "static", distance 1, metric 0

Redistributing via ospf 100

Advertised by ospf 100 metric 100 subnets tag 7381 route-map STAT-INTO-OSPF100

Routing Descriptor Blocks:

* 80.238.1.190

Route metric is 0, traffic share count is 1

The remote peer has confirmed that they have configured their end of the VPN to point back to our 172 address via our peer address.. This tunnel obviously isnt working at the moment but Im trying to resolve the NATing issue first before looking at that..

Jon Marshall · ‎10-17-2011

If the tunnel isn't working then i don't think it will NAT because it needs to go past the outside interface.

When you say it's not working what exactly do you mean ? ie. because of the NAT or because it is not setup correctly.

Can you confirm that to get to the remote end of the tunnel you need to go via fa0/1 ?

Jon

jonmo2578 · ‎10-18-2011

Ah ha.. following your "tunnel affecting the NAT" comment above, I have revisited ( retyped ) my crypto isakmp config and this has now come up.. !!.

So i can now ping across to the remote address ..

Many thanks for all your suggestions.. I got a feeling your original access-list config line was the correct answer as I was trying to use a loopback address instead..

Regards

Jon.

arrul · ‎03-13-2018

Hi, I am facing the Same issue now in the same scenario on my CSR 1000v Router.

I wanna translate all my traffic to my remote server via loopback0.

Can I get some help on this, please?

Your hit and help would be much appreciated.

Thank you,

Arul