01-29-2018 07:08 PM - edited 03-08-2019 01:36 PM
Hello All,
I am at a cross roads after reading everything about NAT, and wondering why once I enable source nat overlaod to my egress (also my bgp peer) interface on my ISR router the BGP adjacency Breaks. I thought only traffic sourced from my nat 'inside interface'would be NAT'd. Granted, the fix was to change the NAT ACL from permit any any to permit 10.0.0.0/8 but was still curious as to why my outside interface which is also my EBGP peer interface was NAT'ing traffic received/sent from my EBGP peer. Also, any other fix would be insightful, thinking maybe a deny on port 179 or something of the sort would have worked?
ANyways, heres the breakdown.
LAN - > R1 'inside' Gi0/1 R1 'outside' Gi0/0 - > ISP
NAT configs
!
ip access-list standard NAT-ACL
permit any any
!
ip nat inside source list NAT-ACL interface GigabitEthernet0/0 overload
!
NAT translations with permit ip any any ACL.
!
R1#show ip nat translations #IP's changed for sec
Pro Inside global Inside local Outside local Outside global
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:60904 55.55.55.224:60904
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:65178 55.55.55.224:65178
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:54721 55.55.55.224:54721
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:62592 55.55.55.224:62592
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:49902 55.55.55.224:49902
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:56026 55.55.55.224:56026
tcp 55.55.55.225:4501 55.55.55.225:51946 55.55.55.224:179 55.55.55.224:179
tcp 55.55.55.225:545 55.55.55.225:179 55.55.55.224:61178 55.55.55.224:61178
tcp 55.55.55.225:4502 55.55.55.225:54371 55.55.55.224:179 55.55.55.224:179
BGP state cycles between idle and active.
The Fix was to change my ACL to permit 10.0.0.0 0.0.0.255 and cleared my nat translations and I no longer see NAT occurring for egress interface and BGP also established.
!
!
!
My main misunderstanding seems to be why would it NAT the outside interface gi0/0 traffic, I thought it only NAT's traffic sourced from the inside interfaces but clearly I am mistaken? Thank you in advance!
01-29-2018 08:56 PM
Hi,
As per the nat order of operations, packets on the NAT outside are first translated and then routed. Could be that you problems were not related to inside interface, but outside. Everything that was coming in (as you had permit ip any any) it was translated and therfore BGP coudn't establish peer connectivity.
regards,
mg
02-02-2018 07:15 AM
Thanks for the reply, I thought about that as well however, I was still under the impression that the source list specifying the inside interfaces would have only permitted the NAT for ANY ANY for any traffic traversing the inside interfaces only.
02-03-2018 01:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide