I am at a cross roads after reading everything about NAT, and wondering why once I enable source nat overlaod to my egress (also my bgp peer) interface on my ISR router the BGP adjacency Breaks. I thought only traffic sourced from my nat 'inside interface'would be NAT'd. Granted, the fix was to change the NAT ACL from permit any any to permit 10.0.0.0/8 but was still curious as to why my outside interface which is also my EBGP peer interface was NAT'ing traffic received/sent from my EBGP peer. Also, any other fix would be insightful, thinking maybe a deny on port 179 or something of the sort would have worked?
ANyways, heres the breakdown.
LAN - > R1 'inside' Gi0/1 R1 'outside' Gi0/0 - > ISP
ip access-list standard NAT-ACL
permit any any
ip nat inside source list NAT-ACL interface GigabitEthernet0/0 overload
NAT translations with permit ip any any ACL.
R1#show ip nat translations #IP's changed for sec
Pro Inside global Inside local Outside local Outside global
tcp 188.8.131.52:545 184.108.40.206:179 220.127.116.11:60904 18.104.22.168:60904
tcp 22.214.171.124:545 126.96.36.199:179 188.8.131.52:65178 184.108.40.206:65178
tcp 220.127.116.11:545 18.104.22.168:179 22.214.171.124:54721 126.96.36.199:54721
tcp 188.8.131.52:545 184.108.40.206:179 220.127.116.11:62592 18.104.22.168:62592
tcp 22.214.171.124:545 126.96.36.199:179 188.8.131.52:49902 184.108.40.206:49902
tcp 220.127.116.11:545 18.104.22.168:179 22.214.171.124:56026 126.96.36.199:56026
tcp 188.8.131.52:4501 184.108.40.206:51946 220.127.116.11:179 18.104.22.168:179
tcp 22.214.171.124:545 126.96.36.199:179 188.8.131.52:61178 184.108.40.206:61178
tcp 220.127.116.11:4502 18.104.22.168:54371 22.214.171.124:179 126.96.36.199:179
BGP state cycles between idle and active.
The Fix was to change my ACL to permit 10.0.0.0 0.0.0.255 and cleared my nat translations and I no longer see NAT occurring for egress interface and BGP also established.
My main misunderstanding seems to be why would it NAT the outside interface gi0/0 traffic, I thought it only NAT's traffic sourced from the inside interfaces but clearly I am mistaken? Thank you in advance!
As per the nat order of operations, packets on the NAT outside are first translated and then routed. Could be that you problems were not related to inside interface, but outside. Everything that was coming in (as you had permit ip any any) it was translated and therfore BGP coudn't establish peer connectivity.
Thanks for the reply, I thought about that as well however, I was still under the impression that the source list specifying the inside interfaces would have only permitted the NAT for ANY ANY for any traffic traversing the inside interfaces only.