ā10-01-2024 01:58 PM
Hi all - TIA for any feedback.
I would think this would be a fairly common requirement, and I've done this easily on ASA and other platforms, but it took me some time to get this working today. Wondering if there's a better way to accomplish this?
Use Case:
Too many concurrent sessions to use a single public IP address. NAT groups of internal IP's to their own specific public IP address.
- Caveat: Internet/Public/"NAT outside" interface is in a VRF (INET); others are GRT.
- Test Platform: 8300 series, IOS-XE 17.6
Team A = 2000 users: Map to IP address 6.6.6.6
Team B = 2000 users: Map to IP address 6.6.6.7
Team C = 2000 users: Map to IP address 6.6.6.8
Others Map to public IP of router 6.6.6.2 - (interface overload)
interface TenGigabitEthernet0/0/0
! BIA: cc6a.1234.abcd !
description <<<INTERNET>>>
vrf forwarding INET
ip address 6.6.6.2 255.255.255.240
ip nat outside
...
! This is for default NAT - fall through for those not in teams A - C !
Standard IP access list NAT
5 deny 10.6.0.0 wildcard bits 0.0.255.255
6 deny 10.7.0.0 wildcard bits 0.0.255.255
7 deny 10.8.0.0 wildcard bits 0.0.255.255
8 permit 10.0.0.0, wildcard bits 0.255.255.255
9 permit 192.168.0.0, wildcard bits 0.0.255.255
10 permit 172.16.0.0, wildcard bits 0.15.255.255
! TEAM A !
ip nat pool nat-pool-test-6 6.6.6.6 6.6.6.6 netmask 255.255.255.240
ip access-list extended acl-nat-test-6
10 permit ip 10.6.0.0 0.0.255.255 any
route-map rm-nat-test-6 permit 10
match ip address acl-nat-test-6
ip nat inside source route-map rm-nat-test-6 pool nat-pool-test-6 overload
! TEAM B !
ip nat pool nat-pool-test-7 6.6.6.7 6.6.6.7 netmask 255.255.255.240
ip access-list extended acl-nat-test-7
10 permit ip 10.7.0.0 0.0.255.255 any
route-map rm-nat-test-7 permit 10
match ip address acl-nat-test-7
ip nat inside source route-map rm-nat-test-7 pool nat-pool-test-7 overload
! TEAM C !
ip nat pool nat-pool-test-8 6.6.6.8 6.6.6.8 netmask 255.255.255.240
ip access-list extended acl-nat-test-8
10 permit ip 10.8.0.0 0.0.255.255 any
route-map rm-nat-test-8 permit 10
match ip address acl-nat-test-8
ip nat inside source route-map rm-nat-test-8 pool nat-pool-test-8 overload
! DEFAULT!
ip nat inside source list NAT interface TenGigabitEthernet0/0/0 overload
! Need this - adding secondary IP on interface t0/0/0 didn't work !
arp vrf INET 6.6.6.6 cc6a.1234.abcd ARPA alias
arp vrf INET 6.6.6.7 cc6a.1234.abcd ARPA alias
arp vrf INET 6.6.6.8 cc6a.1234.abcd ARPA alias
ā10-02-2024 01:26 AM
Hello
You could consolidate the teams addressing nat to use a single dynamic nat pool with those 3 public ips, meaning they can use any address in that pool, so not a specific to the individual pools you have at present
than have a catch all single pat statement for any other local users requesting translation and/if the nat pool becomes exhausted the teams users will default to the single PAT overload
example:
ip access-list extended Teams
permit ip 10.6.0.0 0.0.255.255 any
permit ip 10.7.0.0 0.0.255.255 any
permit ip 10.8.0.0 0.0.255.255 any
ip access-list extended Other
permit ip 10.0.0.0 0.255.255.255 any
ip nat pool TEAM-NAT 6.6.6.6 6.6.6.8 prefix-length 28
ip nat pool PAT 6.6.6.10 6.6.6.10 prefix-length 28
ip nat inside source list Teams pool TEAM-NAT vrf NET match-in-vrf
ip nat source list Other pool PAT vrf NET overload
ā10-02-2024 07:52 AM
Hmmm... Some of your syntax is different than what I expected, I will have to play with that. Have you had issues with the router responding to ARP requests for the nat pool - and if so - is the "alias" the best way to address that?
Yes, a single pool with several IP's will certainly work, good catch. In the past I've found it useful to map a team, department, business unit, whatever to their own IP. If we're doing tech charge backs, it's easy to pull reports on utilization that way. Similar, if there is a bandwidth hog I can narrow it down pretty quick.
Thanks for the response!
ā10-02-2024 08:01 AM
Hello
TBH - alias is on by default although its hidden, so by default the router will create a arp entry for the translated addresses, so any destination host will arp for that translated address of which the nat rtr would have created an entry for it.
whats the issue you are seeing?
ā10-02-2024 08:44 AM
The configs I posted work - or seem to - still testing and such. Without the manual "arp...alias" entry, I could not pass traffic. The NAT's would be built, but no traffic flowing. Debug NAT didn't reveal much - but there was an entry like "attempting to create alias". That reminded me about the arp..alias command.
This seems to be more problematic, or even exclusive to VRF's; particularly if inside IF's are GRT and outside IF is in some VRF. Had similar issues when inside IF's are in a different VRF than outside IFs.
If I have more time I'll do a pcap/monitor session with various configs and try to highlight the failure(s). If it's working though, due to time constraints I'll probably have to document it and move on.
ā10-02-2024 08:51 AM
Hello
try enabling local proxy arp and see if that helps?
int x/x
ip local-proxy arp
ā10-02-2024 08:06 AM
Why you need to add secondary IP?
The IP in all Pool can be in same subnet
What I see you do wrong is you add one IP to pool and mask 255.255.255.240 try use /32 instead as mask for each pool
MHM
ā10-02-2024 08:32 AM
Hello
@MHM Cisco World wrote:What I see you do wrong is you add one IP to pool and mask 255.255.255.240 try use /32 instead as mask for each pool
MHM
FYI - That will not work NAT will not allow host ip pools, they need to be at least a /30 or shorter, otherwise you in the relalms of 1-2-1 nat/pat
ā10-02-2024 08:37 AM
Adding secondary IP was a work around for 1:1 static NAT's; the rtr would not reply to ARPs for a NAT'd address. Say, the router IF is 6.6.6.6 and you're doing a static nat from... 192.168.0.10 to 6.6.6.10. No worky - rtr would not respond to arp's for 6.6.6.10. The "fix" on older ISR's was to add 6.6.6.10 as a secondary address. Perhaps this is resolved in IOS-XE - or patched in more recent code, not sure.
ā10-02-2024 08:55 AM
If the IP in Pool's in same subnet no need secondary.
Why the ARP not responding to IP of Pool and need secondary
This only happened when the primary IP in subnet different than Pool IP.
MHM
ā10-02-2024 09:00 AM
VRF?
ā10-02-2024 09:00 AM
sorry what you meaning
MHM
ā10-02-2024 09:06 AM
I think the interfaces, nat inside and nat outside, not in the same VRF or GRT breaks things, like arp. As mentioned, maybe I'm missing something in the configs, but it definitely won't work unless additional steps are taken to make the rtr reply to arp requests. I know there is newer tech - NVI's, VASI, etc. Not up to speed on those, but look promising for various use cases.
ā10-02-2024 09:21 AM - edited ā10-02-2024 09:22 AM
Hello Gary
Vasi nat is very much applicable for VRFs it assist with the bridging of the separate vrf tables using those vasileft/right interfaces to obtain the communication
Another vrf applicable NAT feature which precedes VASI so it isn't applicable to IOS-XE is domainiess (NVI) nat
ip nat source list xxx
etc...
int x/x
ip nat enable
i
ā10-02-2024 09:00 AM
Hello
@MHM Cisco World wrote:
This only happened when the primary IP in subnet different than Pool IP.
TBH this should make no difference, My understanding the nat rtr should create the arp upon translation on any address you do not require a secondary addressing to accomplish that even if it is or not in the same address range on the public facing interface ip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide