Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
2
Replies

Problems with Twice-NAT on Cisco 3548

kpeterson413
Level 1
Level 1

‎01-06-2024 11:52 AM

Good afternoon - 

I'm trying to get Twice-NAT working on a Cisco 3548 switch. I have a VRF set up with 2 L3 ports on it -

  • Eth1/33 has IP address 20.20.255.250/16 and is nat inside
  • Eth1/34 has IP address 10.10.1.211/24 and is nat outside

Full config of the interfaces:

switch1# show running-config int eth1/33-34

!Command: show running-config interface Ethernet1/33-34
!Running configuration last done at: Fri Jan  5 18:23:25 2024
!Time: Fri Jan  5 18:41:06 2024

version 9.3(9) Bios:version 5.5.0 

interface Ethernet1/33
  description TO_INSIDE
  no cdp enable
  no switchport
  speed 1000
  vrf member VRF_A
  ip address 20.20.255.250/16
  ip proxy-arp
  ip nat inside 

interface Ethernet1/34
  description TO_OUTSIDE
  no cdp enable
  no switchport
  speed 1000
  vrf member VRF_A
  ip address 10.10.1.211/24
  ip nat outside

Connected directly to Eth1/33 is a device with the IP 20.20.255.253 (the "inside" device)

Connected directly to Eth1/34 is a device with the IP 10.10.1.111 (the "outside" device)

For this experiment I want to verify that I can establish a connection from the outside to the inside. Since I only need to support a single IP on each side, I'm attempting static twice-nat.

Here are the following commands I used to attempt to get this working:

ip nat inside source static 20.20.255.253 20.20.11.111 vrf VRF_A group 4 
ip nat outside source static 10.10.1.111 20.20.11.123 vrf VRF_A group 4 add-route

The routing for the vrf now looks like:

switch1# show ip route vrf VRF_A
IP Route Table for VRF "VRF_A"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

10.10.1.0/24, ubest/mbest: 1/0, attached
    *via 10.10.1.211, Eth1/34, [0/0], 00:17:47, direct
10.10.1.211/32, ubest/mbest: 1/0, attached
    *via 10.10.1.211, Eth1/34, [0/0], 00:17:47, local
20.20.0.0/16, ubest/mbest: 1/0, attached
    *via 20.20.255.250, Eth1/33, [0/0], 00:17:12, direct
20.20.11.123/32, ubest/mbest: 1/0
    *via 10.10.1.111%default, [1/0], 00:08:08, nat
20.20.255.250/32, ubest/mbest: 1/0, attached
    *via 20.20.255.250, Eth1/33, [0/0], 00:17:12, local

I'm now attempting to ping from the outside device with the IP 10.10.1.111 to the global IP of the inside device, 20.20.11.111. I would expect the packet to come in on eth1/34 with source IP 10.10.1.111 and destination IP 20.20.11.111, be translated to source IP 20.20.11.123 and destination 20.20.255.253, and be sent out Eth1/33.

With debug ip nat-packet and term mon it looks like the translation is happening, but nothing at all is egressing from eth1/33 (using tcpdump on the inside device and viewing the port counters on the switch.) The debug ip nat-packet output is below:

2024 Jan  5 18:20:59.371153 netstack: (ipnat_translate_before_routing): ipnat_get_ipaddr_and_port succeeded,                          src 10.10.1.111, sp 45438, dst 20.20.11.111, dp 0, prot1u 
2024 Jan  5 18:20:59.371204 netstack: (ipnat_translate_before_routing): Got table_id vrf(VRF_A) ctx_id: 3, tbl_id: 3, input_iod(44) need to xlate 
2024 Jan  5 18:20:59.371268 netstack: (ipnat_translate_before_routing):  ipnat_find_xlate_addr succeeded, entry: 0 20.20.11.123:0 20.20.255.253:0 0 0 0 0
2024 Jan  5 18:20:59.371289 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr succeeded,                              nsrc 20.20.11.123, nsp 0, ndst 20.20.255.253, ndp 0, xs: 0, id: 0, ident: 58592 tcp_aware: 0
2024 Jan  5 18:20:59.371304 netstack: (ipnat_translate_before_routing): NAT fill rt_info for NetStack to route.
2024 Jan  5 18:20:59.371343 netstack: (ipnat_translate_before_routing): rt_info nh: 0.0.0.0, iod: 43, tid: 3                             local_route: FALSE attached_route: FALSE
2024 Jan  5 18:20:59.371430 netstack: (ipnat_translate_before_routing):  Packet (ident:58592) successfully translated

Interestingly, if I remove the ip nat outside source static translation, the NATting appears to work. The destination IP is translated and the packet routed to the inside device. Debug output for the working translation is below:

2024 Jan  5 18:23:30.782098 netstack: (ipnat_translate_before_routing): ipnat_get_ipaddr_and_port succeeded,                          src 10.10.1.111, sp 12545, dst 20.20.11.111, dp 0, prot1u 
2024 Jan  5 18:23:30.782140 netstack: (ipnat_translate_before_routing): Got table_id vrf(VRF_A) ctx_id: 3, tbl_id: 3, input_iod(44) need to xlate 
2024 Jan  5 18:23:30.782180 netstack: (ipnat_translate_before_routing):  ipnat_find_xlate_addr failed, entry not found.. Finding half entry 
2024 Jan  5 18:23:30.782223 netstack: (ipnat_translate_before_routing): It's a half_entry 
2024 Jan  5 18:23:30.782243 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr succeeded,                              nsrc 0.0.0.0, nsp 0, ndst 20.20.255.253, ndp 0, xs: 0, id: 0, ident: 59872 tcp_aware: 0
2024 Jan  5 18:23:30.782256 netstack: (ipnat_translate_before_routing): NAT don't fill rt_info for NetStack to route.
2024 Jan  5 18:23:30.782305 netstack: (ipnat_translate_before_routing): route exists for prefix: 20.20.255.253,iod:43
2024 Jan  5 18:23:30.782342 netstack: (ipnat_translate_before_routing):  updated new iod to PTREE
2024 Jan  5 18:23:30.782410 netstack: (ipnat_translate_before_routing):  Packet (ident:59872) successfully translated

Unfortunately this means that the source IP of the outside device isn't translated, which we will need for the final setup we're working towards (the inside device isn't configurable so we won't be able to tell it how to route to addresses on the outside network.)

Is there any reason the ip nat inside source static would be working, but not when I try to do twice-NAT?

show version output below:

Software
  BIOS: version 5.5.0
 NXOS: version 9.3(9)
  BIOS compile time:  12/07/2021
  NXOS image file is: bootflash:///n3500-compact.9.3.9.bin

Thank you for any help, I feel like I'm missing something very obvious.

 

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎01-06-2024 02:05 PM

Hello
Just to confirm not sure you require twice NAT here just NVI Nat  should be relevant

Meaning  having no nat domains (inside/outside)

int eth1/33
no ip nat inside 
ip nat enable
int eth1/34
no ip nat outside
ip nat enable
ip nat source static 20.20.255.253 10.10.1.111


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

kpeterson413
Level 1
Level 1
In response to paul driver

‎01-07-2024 04:06 PM

@paul driver Thank you, it would be nice if we could use NVI, unfortunately it is not available on this switch / OS version and upgrading is not an option at this point.

0 Helpful
Customers Also Viewed These Support Documents