Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6032
Views
0
Helpful
50
Replies

ISM with NAT44 - Need help with configuration

Go to solution
Renato Reis
Level 1
Level 1

‎07-24-2013 08:07 PM

Hello everyone,

I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.

CGN Topology.png

Configurations

-----------------------------------------------

!

vrf NAT_IN

address-family ipv4 unicast

!

!

vrf BLUE

address-family ipv4 unicast

!

!

hw-module service cgn location 0/3/CPU0

!

interface Bundle-Ether2

description UPLINK TO METRO ETHERNET

!

interface Bundle-Ether2.2 l2transport

encapsulation dot1q 2

rewrite ingress tag pop 1 symmetric

!

interface GigabitEthernet200/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active

interface GigabitEthernet300/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active

interface BVI2

description METRO

vrf BLUE

ipv4 address 100.0.0.10/24

!

interface tunnel-ip 101

description GRE_TUNNEL

vrf BLUE

ipv4 address 1.1.1.1/32

tunnel mode gre ipv4

tunnel source interface bvi 2

tunnel destination 200.0.0.1

!

!

interface BVI 100

vrf BLUE

ipv4 address [GATEWAY_100] [MASK_100]

!

interface BVI 200

vrf BLUE

ipv4 address [GATEWAY_200] [MASK_200]

!

interface BVI 300

vrf BLUE

ipv4 address [GATEWAY_300] [MASK_300]

!

!

interface ServiceApp1

vrf NAT_IN

ipv4 address 10.0.2.1 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceApp2

vrf BLUE

ipv4 address 10.0.2.2 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceInfra1

ipv4 address 10.0.3.1 255.255.255.0

service-location 0/3/CPU0

!

!

router static

address-family ipv4 unicast

!

vrf NAT_IN

address-family ipv4 unicast

0.0.0.0/0 ServiceApp1

10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>

!

!

vrf BLUE

address-family ipv4 unicast

172.16.0.0/24 ServiceApp2

!

!

router ospf METRO

vrf BLUE

router-id [ROUTER_ID]

redistribute bgp 65500 metric 100

area 0

interface bvi 2

!

router ospf BLUE

vrf BLUE

router-id [ROUTER ID]

redistribute bgp 65500 metric 100

area 10

interface BVI100

!

interface BVI200

!

interface BVI200

!

!

!

router bgp 65500

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

!

vrf BLUE

rd 65500:2

address-family ipv4 unicast

redistribute static

redistribute ospf BLUE

!

neighbor 1.1.1.2

remote-as 64512

ebgp-multihop 5

address-family ipv4 unicast

route-policy PASS in

route-policy PASS out

!

!

!

service cgn CGN

service-location preferred-active 0/3/CPU0

service-type nat44 nat44

portlimit 20000

inside-vrf NAT_IN

map outside-vrf BLUE address-pool 172.16.0.0/24

!

!

!

Thanks in advance,

Renato

Labels:
0 Helpful
50 Replies 50

Go to solution
somnathr
Cisco Employee
Cisco Employee
In response to Renato Reis

‎11-03-2013 10:50 PM

Hi Renato,

SAM modules can be physically removed from the ISM card.

As it is in IN-RESET state, the "show platform summary location 0/3/CPU0" is not able to get App-side version number.

But, as I see the following msg:

"LC/0/3/CPU0:Nov 1 17:24:54.959 : apiv_srvr[115]: %PLATFORM-APIV-5-API_INCOMPATIBLE : Message 24 in APIV module APIV_SI is incompatible (reason: Not supported on the remote side) "

I'm suspecting that the install-kit is not updated properly.

You may need to follow the instructions under http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat43cgn.html#wp1015556.

(I'm assuming Services pie is already installed and only Linux install-kit needs to be installed)

Step 1:

RP/0/RSP0/CPU0(admin)# hw-module location reload

Step 2:

RP/0/RSP0/CPU0(admin)#debug sim reload-disable location

Step 3:
(Assuming install-kit is already copied to RP)

RP/0/RSP0/CPU0(admin)# download install-image from

to

regards,

Somnath.

0 Helpful

Go to solution
Renato Reis
Level 1
Level 1
In response to somnathr

‎11-04-2013 01:43 AM

Hi Somnath,

Thank you for your attention. Actually, the FPDs of the new ISM were out of date so that the ISM coudn`t boot up. What I did was shutdown the fib manager process on the card and it no longer reloaded the ISM due to the version incompatibility and then I could upgrade the FPDs and reload the module.

proc mandatory OFF fib_mgr location 0/3/CPU0

proc SHUTDOWN fib_mgr location 0/3/CPU0


RP/0/RSP0/CPU0:router#admin show platform

Mon Nov  4 07:41:48.669 UTC

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON

0/FT0/SP        FAN TRAY                  READY           

0/FT1/SP        FAN TRAY                  READY           

0/0/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/0/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/0/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/1/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/3/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON

0/3/CPU1        A9K-ISM-100(SE)           APP-READY      

0/PM0/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM1/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM2/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

RP/0/RSP0/CPU0:router#

Thank you so much,

Renato

0 Helpful

Go to solution
somnathr
Cisco Employee
Cisco Employee
In response to Renato Reis

‎11-04-2013 04:38 AM

Hi Renato,

That's good to hear !  So, you're all set then, I would assume.

regards,

Somnath.

0 Helpful

Go to solution
Renato Reis
Level 1
Level 1
In response to somnathr

‎11-04-2013 08:57 AM

Hi Somnath,

I just wanna ask if you have any extra material about the SAM modules? How can I use them?

Thanks,

Renato Reis

0 Helpful

Go to solution
somnathr
Cisco Employee
Cisco Employee
In response to Renato Reis

‎11-04-2013 07:23 PM

Hi Renato,

SAM module is already EOLed (http://www.cisco.com/en/US/prod/collateral/routers/ps9853/end_of_life_notice_c51-721386.html).

You do not need those for running CGv6 application - those are not used by CGv6 application software.

Details about how to handle / OIR SAM module are available at http://www.cisco.com/en/US/docs/routers/asr9000/hardware/ism_line_card/installation/guide/ismiginstalling.html#wp865031.

regards,

Somnath.

0 Helpful

Go to solution
Renato Reis
Level 1
Level 1

‎12-18-2013 03:17 AM

Hi Somnath,

Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.

1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?

2) Can I use the same outside VRF?

Here is the configurations.

!! IOS XR Configuration 4.3.1

!

vrf NAT_IN

address-family ipv4 unicast

  import route-target

   65500:2

   65500:3

  !

  export route-target

   65500:3

  !

!

!

vrf RED

address-family ipv4 unicast

  import route-target

   65500:1

  !

  export route-target

   65500:1

  !

!

!

vrf NAT_OUT

address-family ipv4 unicast

  import route-target

   65500:4

  !

  export route-target

   65500:4

  !

!

!

vrf SATELLITE

!

vrf BLUE

address-family ipv4 unicast

  import route-target

   65500:2

  !

  export route-target

   65500:2

  !

!

!

hw-module service cgn location 0/3/CPU0

!

ipv4 access-list ABF

5 permit ospf any any

10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2

20 permit icmp any any

!

interface Bundle-Ether3

description Uplink (BE3 - VRF NAT_IN) - VLAN 20

vrf NAT_IN

ipv4 address 1.1.1.1 255.255.255.0

ipv4 access-group ABF ingress

!

!

interface Bundle-Ether22

description LOOPBACK CABLE NAT_OUT

vrf NAT_OUT

ipv4 address 10.0.1.1 255.255.255.0

!

!

interface Bundle-Ether23

description LOOPBACK CABLE BLUE

vrf BLUE

ipv4 address 10.0.1.2 255.255.255.0

!

!

interface 6

description Uplink  (BE6 - Global) - VLAN 20,51,80-82

!

!

interface 6.2

ipv4 address 1.1.1.2 255.255.255.0

encapsulation dot1q 2

!

interface 6.51 l2transport

description EFP - BE6 - VLAN 51

encapsulation dot1q 51

rewrite ingress tag pop 1 symmetric

!

interface 6.80 l2transport

description EFP - BE6 - VLAN 80

encapsulation dot1q 80

rewrite ingress tag pop 1 symmetric

!

interface 6.81 l2transport

description EFP - BE6 - VLAN 81

encapsulation dot1q 81

rewrite ingress tag pop 1 symmetric

!

interface 6.82 l2transport

description EFP - BE6 - VLAN 82

encapsulation dot1q 82

rewrite ingress tag pop 1 symmetric

!

interface Bundle-Ether100

description Bundle to Satellite 100

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 100

   remote-ports GigabitEthernet 0/0/0-43

  !

!

!

interface Bundle-Ether200

description Bundle to Satellite 200

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 200

   remote-ports GigabitEthernet 0/0/0-43

  !

!

!

interface Bundle-Ether300

description Bundle to Satellite 300

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 300

   remote-ports GigabitEthernet 0/0/0-35

  !

!

!

interface Loopback0

description MGMT SATELLITE

vrf SATELLITE

ipv4 address 10.0.0.254 255.255.255.0

!

interface tunnel-ip31101

description BLUE-TUNNEL01

vrf BLUE

ipv4 address 10.200.253.90 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 13.13.13.13

!

interface tunnel-ip31102

description BLUE-TUNNEL02

vrf BLUE

ipv4 address 10.200.253.94 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 14.14.14.14

!

interface tunnel-ip31103

description RED-TUNNEL03

vrf RED

ipv4 address 10.200.253.90 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 13.13.13.13

!

interface tunnel-ip31104

description RED-TUNNEL04

vrf RED

ipv4 address 10.200.253.94 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 14.14.14.14

!

!

interface TenGigE0/0/0/0

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/0/0/1

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/0/0/2

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/0/0/3

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/0/0/4

description LINK TO SATELLITE 300

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 300

   remote-ports GigabitEthernet 0/0/36-43

  !

!

!

interface TenGigE0/0/0/5

description LINK TO SATELLITE 300

bundle id 300 mode on

!

!

interface TenGigE0/0/0/16

description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82

bundle id 6 mode active

!

interface TenGigE0/1/0/16

description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82

bundle id 6 mode active

!

!

interface TenGigE0/0/0/17

description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20

bundle id 3 mode active

!

!

interface TenGigE0/1/0/17

description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20

bundle id 3 mode active

!

!

interface TenGigE0/0/0/22

description LOOPBACK CABLE TE0/1/0/22

bundle id 22 mode on

!

interface TenGigE0/0/0/23

description LOOPBACK CABLE TE0/1/0/23

bundle id 22 mode on

!

interface TenGigE0/1/0/0

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/1/0/1

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/1/0/2

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/1/0/3

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/1/0/4

description LINK TO SATELLITE 300

bundle id 300 mode on

!

interface TenGigE0/1/0/5

description LINK TO SATELLITE 300

bundle id 300 mode on

!

!

!

interface TenGigE0/1/0/22

description LOOPBACK CABLE TE0/0/0/22

bundle id 23 mode on

!

interface TenGigE0/1/0/23

description LOOPBACK CABLE TE0/0/0/23

bundle id 23 mode on

!

interface BVI30

vrf RED

ipv4 address 10.200.25.193 255.255.255.192

!

interface BVI31

vrf BLUE

ipv4 address 10.200.1.1 255.255.255.248

!

interface BVI32

vrf BLUE

ipv4 address 10.200.25.129 255.255.255.224

!

interface BVI33

vrf BLUE

ipv4 address 10.200.25.1 255.255.255.128

!

interface BVI36

vrf BLUE

ipv4 address 10.200.237.145 255.255.255.240

!

interface BVI51

vrf RED

ipv4 address 192.168.7.12 255.255.255.0

!

interface BVI80

vrf RED

ipv4 address 10.200.26.169 255.255.255.224

!

interface BVI81

vrf BLUE

ipv4 address 10.200.25.164 255.255.255.240

!

interface BVI82

vrf BLUE

ipv4 address 10.200.25.180 255.255.255.240

!

!

interface ServiceApp1

description NAT_IN

vrf NAT_IN

ipv4 address 10.0.2.1 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceApp2

description NAT_OUT

vrf NAT_OUT

ipv4 address 10.0.2.5 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceInfra1

description ISM

ipv4 address 10.0.3.1 255.255.255.0

service-location 0/3/CPU0

!

!

prefix-set PS_ROUTES

  10.200.0.8,

  10.200.5.40/29,

  10.200.1.0/29,

  10.200.5.32/29,

  10.200.0.144/28,

  10.200.106.0/28,

  10.200.106.16/28

end-set

!

prefix-set PS_BGP_BLUE_OUT

  10.200.24.192/26,

  10.200.5.40/29,

  10.200.240.0/25,

  10.200.1.0/29,

  10.200.25.128/27,

  10.200.25.0/25,

  10.200.5.32/29,

  10.200.26.0/25,

  10.200.0.144/28,

  10.200.27.128/27,

  10.200.27.0/25,

  10.200.106.0/28,

  10.200.106.128/25,

  10.200.106.16/28,

  10.200.107.128/25

end-set

!

route-policy RP_DENY_ALL

  drop

end-policy

!

route-policy RP_PASS_ALL

  pass

end-policy

!

route-policy RP_BGP_BLUE_OUT

  if destination in PS_BGP_BLUE_OUT then

    pass

  endif

end-policy

!

route-policy RP_PASS_ROUTES

  if destination in PS_ROUTES then

    pass

  endif

end-policy

!

!

router static

address-family ipv4 unicast

  0.0.0.0/0 1.1.1.20

!

vrf NAT_IN

  address-family ipv4 unicast

   0.0.0.0/0 ServiceApp1

  !

!

vrf RED

!

vrf NAT_OUT

  address-family ipv4 unicast

   0.0.0.0/0 10.0.1.2

   10.200.24.192/26 ServiceApp2

  !

!

vrf BLUE

  address-family ipv4 unicast

   10.200.24.192/26 10.0.1.1

  !

!

!

router ospf

log adjacency changes

vrf NAT_IN

  router-id 1.1.1.1

  disable-dn-bit-check

  redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES

  !

  area 7

   interface Bundle-Ether3

   !

  !

!

!

router ospf RED

log adjacency changes

vrf RED

  router-id 10.200.26.169

  disable-dn-bit-check

  redistribute bgp 65500 metric 10 metric-type 2

  area 11

   interface BVI30

   !

   interface BVI80

   !

  !

!

!

router ospf BLUE

log adjacency changes

vrf BLUE

  router-id 10.200.25.164

  disable-dn-bit-check

  redistribute static

  redistribute bgp 65500 metric 10 metric-type 2

  area 0

   interface BVI81

   !

   interface BVI82

   !

  !

  area 2

   interface BVI31

   !

   interface BVI32

   !

   interface BVI33

   !

   interface BVI36

   !

  !

!

!

router bgp 65500

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

vrf NAT_IN

  rd 65500:3

  bgp router-id 1.1.1.1

  address-family ipv4 unicast

   route-target download

  !

!

vrf RED

  rd 65500:1

  bgp router-id 10.200.253.90

  address-family ipv4 unicast

   network 10.200.25.192/26

   network 10.200.26.128/27

   network 10.200.26.192/27

   network 10.200.27.192/26

   network 10.200.104.128/27

   network 10.200.104.160/27

  !

  neighbor 10.200.253.89

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31103

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_PASS_ALL out

    soft-reconfiguration inbound

   !

  !

  neighbor 10.200.253.93

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31104

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_PASS_ALL out

    soft-reconfiguration inbound

   !

  !

!

vrf BLUE

  rd 65500:2

  bgp router-id 10.200.253.90

  address-family ipv4 unicast

   network 10.200.0.144/28

   network 10.200.1.0/29

   network 10.200.5.32/29

   network 10.200.5.40/29

   network 10.200.24.192/26

   network 10.200.25.0/25

   network 10.200.25.128/27

   network 10.200.26.0/25

   network 10.200.27.0/25

   network 10.200.27.128/27

   network 10.200.106.0/28

   network 10.200.106.16/28

   network 10.200.106.128/25

   network 10.200.107.128/25

   network 10.200.240.0/25

  !

  neighbor 10.200.253.89

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31101

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_BGP_BLUE_OUT out

    soft-reconfiguration inbound

   !

  !

  neighbor 10.200.253.93

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31102

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_BGP_BLUE_OUT out

    soft-reconfiguration inbound

   !

  !

!

!

l2vpn

load-balancing flow src-dst-ip

bridge group VLAN30

  bridge-domain VLAN30

   !

   !

   routed interface BVI30

  !

!

bridge group VLAN31

  bridge-domain VLAN31

   !

   !

   routed interface BVI31

  !

!

bridge group VLAN32

  bridge-domain VLAN32

   routed interface BVI32

  !

!

bridge group VLAN33

  bridge-domain VLAN33

   !

   routed interface BVI33

  !

!

bridge group VLAN36

  bridge-domain VLAN36

   !

   routed interface BVI36

  !

!

bridge group VLAN51

  bridge-domain VLAN51

   !

   routed interface BVI51

  !

!

bridge group VLAN80

  bridge-domain VLAN80

   interface 6.80

   !

   routed interface BVI80

  !

!

bridge group VLAN81

  bridge-domain VLAN81

   interface 6.81

   !

   routed interface BVI81

  !

!

bridge group VLAN82

  bridge-domain VLAN82

   interface 6.82

   !

   routed interface BVI82

  !

!

!

nv

satellite 100

  type asr9000v

  ipv4 address 10.0.0.1

!

satellite 200

  type asr9000v

  ipv4 address 10.0.0.2

!

satellite 300

  type asr9000v

  ipv4 address 10.0.0.3

!

!

!

service cgn CGN

service-location preferred-active 0/3/CPU0

service-type nat44 nat44

  portlimit 20000

  inside-vrf NAT_IN

   map outside-vrf NAT_OUT address-pool 10.200.24.192/26

  !

!

!

Thanks in advance,

Renato

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents