cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
640
Views
6
Helpful
21
Replies

NAT: Policy - each team gets own unique public IP address.

gary-gatten
Level 1
Level 1

Hi all - TIA for any feedback.

I would think this would be a fairly common requirement, and I've done this easily on ASA and other platforms, but it took me some time to get this working today.  Wondering if there's a better way to accomplish this?

Use Case:

Too many concurrent sessions to use a single public IP address. NAT groups of internal IP's to their own specific public IP address.

- Caveat: Internet/Public/"NAT outside" interface is in a VRF (INET); others are GRT.

- Test Platform: 8300 series, IOS-XE 17.6


Team A = 2000 users: Map to IP address 6.6.6.6
Team B = 2000 users: Map to IP address 6.6.6.7
Team C = 2000 users: Map to IP address 6.6.6.8
Others Map to public IP of router 6.6.6.2 - (interface overload)


interface TenGigabitEthernet0/0/0
! BIA: cc6a.1234.abcd !
description <<<INTERNET>>>
vrf forwarding INET
ip address 6.6.6.2 255.255.255.240
ip nat outside
...

 

! This is for default NAT - fall through for those not in teams A - C !
Standard IP access list NAT
5 deny 10.6.0.0 wildcard bits 0.0.255.255
6 deny 10.7.0.0 wildcard bits 0.0.255.255
7 deny 10.8.0.0 wildcard bits 0.0.255.255
8 permit 10.0.0.0, wildcard bits 0.255.255.255
9 permit 192.168.0.0, wildcard bits 0.0.255.255
10 permit 172.16.0.0, wildcard bits 0.15.255.255

 


! TEAM A !
ip nat pool nat-pool-test-6 6.6.6.6 6.6.6.6 netmask 255.255.255.240

ip access-list extended acl-nat-test-6
10 permit ip 10.6.0.0 0.0.255.255 any

route-map rm-nat-test-6 permit 10
match ip address acl-nat-test-6

ip nat inside source route-map rm-nat-test-6 pool nat-pool-test-6 overload


! TEAM B !
ip nat pool nat-pool-test-7 6.6.6.7 6.6.6.7 netmask 255.255.255.240

ip access-list extended acl-nat-test-7
10 permit ip 10.7.0.0 0.0.255.255 any

route-map rm-nat-test-7 permit 10
match ip address acl-nat-test-7

ip nat inside source route-map rm-nat-test-7 pool nat-pool-test-7 overload


! TEAM C !
ip nat pool nat-pool-test-8 6.6.6.8 6.6.6.8 netmask 255.255.255.240

ip access-list extended acl-nat-test-8
10 permit ip 10.8.0.0 0.0.255.255 any

route-map rm-nat-test-8 permit 10
match ip address acl-nat-test-8

ip nat inside source route-map rm-nat-test-8 pool nat-pool-test-8 overload

 

! DEFAULT!
ip nat inside source list NAT interface TenGigabitEthernet0/0/0 overload

 

! Need this - adding secondary IP on interface t0/0/0 didn't work !
arp vrf INET 6.6.6.6 cc6a.1234.abcd ARPA alias
arp vrf INET 6.6.6.7 cc6a.1234.abcd ARPA alias
arp vrf INET 6.6.6.8 cc6a.1234.abcd ARPA alias

 

 

21 Replies 21

Hello
You could consolidate the teams addressing nat to use a single dynamic nat pool with those 3 public ips, meaning they can use any address in that pool, so not a specific to the individual pools you have at present
than have a catch all  single pat statement for any other local users requesting translation and/if the nat pool becomes exhausted the teams users will default to the single PAT overload

example:
ip access-list extended Teams
permit ip 10.6.0.0 0.0.255.255 any
permit ip 10.7.0.0 0.0.255.255 any
permit ip 10.8.0.0 0.0.255.255 any

ip access-list extended Other
permit ip 10.0.0.0 0.255.255.255 any

ip nat pool TEAM-NAT 6.6.6.6 6.6.6.8 prefix-length 28
ip nat pool PAT 6.6.6.10 6.6.6.10 prefix-length 28
ip nat inside source list Teams pool TEAM-NAT vrf NET match-in-vrf
ip nat source list Other pool PAT vrf NET overload


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hmmm...  Some of your syntax is different than what I expected, I will have to play with that.  Have you had issues with the router responding to ARP requests for the nat pool - and if so - is the "alias" the best way to address that?

Yes, a single pool with several IP's will certainly work, good catch.  In the past I've found it useful to map a team, department, business unit, whatever to their own IP.  If we're doing tech charge backs, it's easy to pull reports on utilization that way.  Similar, if there is a bandwidth hog I can narrow it down pretty quick.

 

Thanks for the response!

Hello
TBH - alias is on by default although its hidden, so by default the router will create a arp entry for the translated addresses, so any destination host will arp for that translated address of which the nat rtr would have created an entry for it.

whats the issue you are seeing?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The configs I posted work - or seem to - still testing and such.  Without the manual "arp...alias" entry, I could not pass traffic.  The NAT's would be built, but no traffic flowing.  Debug NAT didn't reveal much - but there was an entry like "attempting to create alias".  That reminded me about the arp..alias command.

This seems to be more problematic, or even exclusive to VRF's; particularly if inside IF's are GRT and outside IF is in some VRF.  Had similar issues when inside IF's are in a different VRF than outside IFs.

If I have more time I'll do a pcap/monitor session with various configs and try to highlight the failure(s).  If it's working though, due to time constraints I'll probably have to document it and move on.

Hello
try enabling local proxy arp and see if that helps?

int x/x
ip local-proxy arp


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Why you need to add secondary IP?

The IP in all Pool can be in same subnet

What I see you do wrong is you add one IP to pool and mask 255.255.255.240  try use /32 instead as mask for each pool

MHM

Hello


@MHM Cisco World wrote:

What I see you do wrong is you add one IP to pool and mask 255.255.255.240  try use /32 instead as mask for each pool

MHM



FYI - That will not work NAT will not allow host ip pools, they need to be at least a /30 or shorter, otherwise you in the relalms of 1-2-1  nat/pat


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Adding secondary IP was a work around for 1:1 static NAT's; the rtr would not reply to ARPs for a NAT'd address.  Say, the router IF is 6.6.6.6 and you're doing a static nat from... 192.168.0.10 to 6.6.6.10.  No worky - rtr would not respond to arp's for 6.6.6.10.  The "fix" on older ISR's was to add 6.6.6.10 as a secondary address.  Perhaps this is resolved in IOS-XE - or patched in more recent code, not sure.

If the IP in Pool's in same subnet no need secondary.

Why the ARP not responding to IP of Pool and need secondary 

This only happened when the primary IP in subnet different than Pool IP.

MHM

VRF?

sorry what you meaning 

MHM

I think the interfaces, nat inside and nat outside, not in the same VRF or GRT breaks things, like arp.  As mentioned, maybe I'm missing something in the configs, but it definitely won't work unless additional steps are taken to make the rtr reply to arp requests.  I know there is newer tech - NVI's, VASI, etc.  Not up to speed on those, but look promising for various use cases.

 

Hello Gary
Vasi nat is very much applicable for VRFs it assist with the bridging of the separate vrf tables using those vasileft/right interfaces to obtain the communication 

Another vrf applicable NAT feature which precedes VASI so it isn't applicable to IOS-XE is domainiess (NVI) nat

ip nat source list xxx
etc...

int x/x
ip nat enable 
i


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello


@MHM Cisco World wrote:

This only happened when the primary IP in subnet different than Pool IP.

 


TBH this should make no difference, My understanding the nat rtr should create the arp upon translation on any address you do not require a secondary addressing to accomplish that even if it is or not in the same address range on the public facing interface ip 



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card