NAT from WAN to (Default VRF) Mgmt-Intf interface In CISCO IOS-XE

piwale7827 · ‎11-20-2023

Hi,

I am looking to expose my Internal Web Server to the internet by configuring the CISCO above it with WAN interface.

Some details,

Im using CISCO ISR4331/K9 with IOS-XE running.

Its interfaces:

1.

interface GigabitEthernet0/0/0
 description To-Firewall
 ip address 201.125.34.125 255.255.255.252
 negotiation auto

2. Default Management Interface for IOS-XE

interface GigabitEthernet0
 description MGMT
 vrf forwarding Mgmt-intf
 ip address 192.168.100.200 255.255.255.0
 negotiation auto

3. Dont know how important it is but this is the interface that connects to the ISP and is the CISCO's default gateway.

interface GigabitEthernet0/0/1
 description To_pppoe
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1

Diagram: Attached as network.png

CISCO's Config: Attached as config.txt

Routing tables:

1. GRT

Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Dialer1 (ISP)
C     71.45.225.12 is directly connected, Dialer1 (ISP)
C     96.111.35.46 is directly connected, Dialer1 (ISP)
C     201.125.34.125/30 is directly connected, GigabitEthernet0/0/0
L     201.125.34.125/32 is directly connected, GigabitEthernet0/0/0

2. Mgmt-intf (VRF)

Routing Table: Mgmt-intf
Gateway of last resort is not set
C        192.168.100.0/24 is directly connected, GigabitEthernet0
L        192.168.100.200/32 is directly connected, GigabitEthernet0

Things I've tried:

1. Simple VRF-AWARE NAT rule like this...

ip nat inside source static tcp 192.168.100.10 80 201.125.34.125 45621 vrf Mgmt-intf

To debug the issue i've ran "sh ip nat statistics" and to my surprise it was showing that i have 0 Hits and 0 Misses on my NAT rule.... Weird...

2. VASI method, you can see on this Post that i already asked and someone suggested the VASI method and was very Helpful on how to apply it to my scenario but still to no avail, In that Post You can see that my base estimate was that the problem is NATing between GRT to VRF but as i said it never got any Hits or Misses so im slowly starting to think that this was not the issue- and this is why im creating this post.

Things I've tried to debug:

1. When trying to access the High port on the WAN interface after applying the NAT rule i was Capturing packets on that interface and i indeed saw the packet reaches the WAN interface, the cisco responded with a normal RST.

2. As i said, tried to see if "sh ip nat statistics" was showing anything other than 0 - NO

Thank you very much! if you got to this point, was long

- Feel free to ask me some more questions about the situation

DanielP211 · ‎11-20-2023

Hello!

Firstlly I don't see you having ip nat inside and ip nat outside defined on gig0 and gig0/0/0. You def need that. I'll check the other configuration. Just give me a few moments.

BR

****Kindly rate all useful posts*****

piwale7827 · ‎11-20-2023

Yes, this configuration is with everything that came from my attempts removed - cleaner for you guys

M02@rt37 · ‎11-20-2023

hello @piwale7827

as concerned your Gi0/0/0 interface:

interface GigabitEthernet0/0/0
description To-Firewall
ip address 123.123.123.123 255.255.255.252
negotiation auto

This IP with this mask is a broadcast address.... please change this IP !

Best regards
******* If This Helps, Please Rate *******
Ben

piwale7827 · ‎11-20-2023

No no i know, this is the fake IP... just didnt want to put my real public IP address here

paul driver · ‎11-20-2023

Hello
Its a bit unclear what host you are trying to port-forward on and from where

gi0/0/0 <> firewall <> HIS-ISP
gi0 <> vrf forwarding Mgmt-in > LAN
gi0/0/1<> default route <> pppoe ISP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

piwale7827 · ‎11-20-2023

Hi there!

First of all thank you for replying.

Because of the misunderstanding let me a bit clearer, I need to be able to port forward a HIGH PORT from my WAN interface on my router (201.125.34.125:45621) to my internal web server (192.168.100.10:80).

Changed the config's and the routing tables on the original post, please feel free to download and take a look!

Again, thank you so much for helping ive been stuck on this for several weeks now... and to be honest it doesnt look like a task that should take that long!

piwale7827 · ‎11-20-2023

Also let me add this,

Just noticed that the primary WAN address is pointing to a different Interface with actually no ip... tried to move the ip nat outside to that interface but to no avail.

I attached a picture to show you what i mean in the gui cofiguraion

paul driver · ‎11-20-2023

Hello
thanks for the clarification however you still show 2 wan links is that correct?
The global nat interface you say you want to be used isn’t the wan interface that your static default route or the ppoe isp rtr resides on

Also your rip process is advertising all connected interfaces plus redistributing connected at the same time which isn’t correct

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul