cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
337
Views
0
Helpful
3
Replies
Highlighted
Beginner

PAT breaks BGP

Hello All, 

 

I am at a cross roads after reading everything about NAT, and wondering why once I enable source nat overlaod to my egress (also my bgp peer)  interface on my ISR router the BGP adjacency Breaks. I thought only traffic sourced from my nat 'inside interface'would be NAT'd. Granted, the fix was to change the NAT ACL from permit any any to permit 10.0.0.0/8 but was still curious as to why my outside interface which is also my EBGP peer interface was NAT'ing traffic received/sent from my EBGP peer. Also, any other fix would be insightful, thinking maybe a deny on port 179 or something of the sort would have worked?

 

ANyways, heres the breakdown. 

 

LAN - > R1 'inside' Gi0/1  R1 'outside' Gi0/0 - > ISP

 

NAT configs 

!

ip access-list standard NAT-ACL

permit any any

ip nat inside source list NAT-ACL interface GigabitEthernet0/0 overload

!

NAT translations with permit ip any any ACL. 

!

R1#show ip nat translations  #IP's changed for sec


Pro Inside global Inside local Outside local Outside global
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:60904 55.55.55.224:60904
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:65178 55.55.55.224:65178
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:54721 55.55.55.224:54721
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:62592 55.55.55.224:62592
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:49902 55.55.55.224:49902
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:56026 55.55.55.224:56026
tcp 55.55.55.225:4501 55.55.55.225:51946 55.55.55.224:179 55.55.55.224:179
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:61178 55.55.55.224:61178
tcp 55.55.55.225:4502 55.55.55.225:54371 55.55.55.224:179 55.55.55.224:179

 

BGP state cycles between idle and active. 

 

The Fix was to change my ACL to permit 10.0.0.0 0.0.0.255 and cleared my nat translations and I no longer see NAT occurring for egress interface and BGP also established. 

!

!
!

My main misunderstanding seems to be why would it NAT the outside interface gi0/0 traffic, I thought it only NAT's traffic sourced from the inside interfaces but clearly I am mistaken? Thank you in advance! 

 

 

 

 

3 REPLIES 3
Highlighted
Beginner

Hi, 

 

As per the nat order of operations, packets on the NAT outside are first translated and then routed.  Could be that you problems were not related to inside interface, but outside. Everything that was coming in (as you had permit ip any any) it was translated and therfore BGP coudn't establish peer connectivity. 

 

regards, 

mg

Highlighted

Thanks for the reply, I thought about that as well however, I was still under the impression that the source list specifying the inside interfaces would have only permitted the NAT for ANY ANY for any traffic traversing the inside interfaces only. 

Highlighted

I believe it is the ip nat outside command on the outside interface that is coming into play and not the ip nat inside source list command, as far as the interface is concerned on ingress the nat operation will occur, least thats my theory anyhow
Content for Community-Ad