cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
0
Helpful
12
Replies

Nat via secondary ip on sdwan edge or service-side nat

dijix1990
VIP
VIP

Hi on the IOS XE I have this config

interface Vlan100
 ip address 1.1.1.2 255.255.255.248 secondary
 ip address 1.1.1.1 255.255.255.248
 ip nat outside
 
interface Vlan200
 ip address 192.168.100.1 255.255.255.0
 ip nat inside 
 
interface Vlan300
 ip address 192.168.200.1 255.255.255.0
 ip nat inside 

ip nat pool rm_nat_vlan100-secondary 1.1.1.2 1.1.1.2 prefix-length 29
ip nat inside source route-map rm_nat_vlan100-main interface Vlan100 overload
ip nat inside source route-map rm_nat_vlan100-secondary pool rm_nat_vlan100-secondary overload

route-map rm_nat_vlan100-main permit 10
 match ip address NAT-vlan200
 match interface Vlan100

route-map rm_nat_vlan100-secondary permit 10
 match ip address NAT-vlan300
 match interface Vlan100
 
ip access-list extended NAT-vlan200
 permit ip 192.168.100.0 0.0.0.255 any

ip access-list extended NAT-vlan300
 permit ip 192.168.200.0 0.0.0.255 any

Maybe somebody know how can I repeat it on a sdwan config?

1 Accepted Solution

Accepted Solutions

Hi,

conditional NAT is not supported for DIA (direct internet access) NAT.

Even, you can not have pool and interface NAT for the same underlay (VPN0) interface.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

12 Replies 12

dijix1990
VIP
VIP

Nobody know?

Hi,

could you explain a bit what do you want to archive exactly?

If it is DIA NAT, then for the same interface pool and interface NAT is not supported:

Restrictions for NAT DIA

A NAT mapping can have an interface overload, an interface DIA pool, or an interface loopback. Multiple NAT mappings cannot exist for the same interface.

If it is service side NAT, you may have only pool configuration:

Restrictions for Service-Side NAT

 

Only NAT pool translations are supported.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book-xe-sdwan/configure-nat.html#service-side-nat

Try to create 2 pools it if is service side NAT (although I didn't get wat is VLAN 100 interface, is it underlay?).

 

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Hello, thanks for answering, vlan 100 it's underlay, on the legacy environment we send our traffic through different outside ip addresses (we get from isp public network /29, and use two ip of it for nat). 

Above is an example of how we do it

And now I think how can I do the same config when edge is managed by sdwan

Hi,

conditional NAT is not supported for DIA (direct internet access) NAT.

Even, you can not have pool and interface NAT for the same underlay (VPN0) interface.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan
Level 1
Level 1

Guy, I hope this topic is still alive. I have the same issue and got confused.  The task sounds like this: provide a dedicated public IP address to some server (let's imagine that it's a oVPN node). The design is: cEdge (C8300) router , the cable from the ISP is plugged directly to the interface gi0/0/0 and the ISP gives us a /29 subnet. We took one IP for the VPN0 as a NAT DIA and also have several service VPNs and the server is in one of them. The aim is providing 1to1 (as it was in legacy style) NAT. This is all. And now I will get annoying, so sorry for my French in advance, because in legacy style networks I could do this just spending around 5 minutes and only 1 device like Mikrotik for 50$ or a Cisco Router with IOS onboard, whatever, but now after buying the newest SD-WAN appliance   for thousands bucks I can't solve the simplest daily task and only one thing that I can get from Cisco is "sorry it isn't supported" wtf. Maybe It's my bad and I don't know how to configure it , but please if anyone knows the secret please share this secret knowledge. Notice that we don't consider more complex schemas like with 2 cEdges and TLOC-Ext and NAT DIA trackers etc. Let's try to solve it with the simple config.

Thanks!

Hi,

you can have NAT overload to interface and static 1:1 NAT from interface. It is supported.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Yes, it is not flexible and does not have as many features as legacy now.

For me it's shame I can't use it because I need to go some clients via secondary public IP (PAT). Cisco sdwan can't do it now

By the way, which version vManage do you use?

I have vManage 20.9.2.1 and there is option static nat with ability using source vpn 

For example, I have interface in the vpn 0:

Gi0/0/0
des WAN
ip address 1.1.1.1 255.255.255.248

and I can make nat 1to1 for 192.168.100.254 via 1.1.1.2 for service vpn10

dijix1990_0-1681873016512.png

 

mikhailov.ivan
Level 1
Level 1

hmm, could you share a guide please? Afaik you can't use the secondary IP from NAT (public) interface for the NAT 1:1, right? I mean we configured 1 public IP fro the /29 pool on the interface gi0/0/0 (PAT) for instance , how can we use another IP from the /29 pool? Should we configure in as a secondary first or ?  It will be great if you have an instruction. Thanks!

Hi,

no need to configure secondary IP if the IP from the same subnet. Just configure 1:1 NAT.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

do you want to say that I can mark any free address from the ISP pool where I took the IP for VPN0 from and it will start working automatically ?  Do you have an example of the config or link for any  docs which prof it ?  Will be great if it's true.

Thanks!

I answered you with an example, have you tried?

 

mikhailov.ivan
Level 1
Level 1

will try in a lab, thanks !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: