NAT with two outside interfaces

This topic is to discuss the following lesson:

Thank you for this awesome post… keep it up!

Thanks Rene !!

Thank you, this site is awesome.

Rene,

Where can i find Route-Map chapter?

Hi bhargavi,

In our lessons, we used route-map with different routing protocols for routing redistribution and/or filtering. I haven’t found a specific chapter explaining specifically about route-map in our website, but you can see how Rene has used it in different routing protocols on the following 2 lessons:

EIGRP Route-map Filtering
OSPF LSA Type 5 Filtering on Cisco IOS

I can refer you also to this article from Cisco website where you can find all information needed about route-map:

Route-map explanation from cisco.com

Hope this can help.

1 Like

Hi Rene,
NAT inside source Process, the routing is processed first then NAT.
in the example i think we do not need the route Map. because every packet pass through the interface will be translated. the following will work.
please correct me if wrong

NAT(config)#ip nat inside source list 1  int fa 0/1 overload  
NAT(config)#ip nat inside source list 1  int fa 1/0 overload 

Hello Mahmoud!

Your logic makes sense, however, it wouldn’t work as it should. If you insert the second command you have above, the first one will be overwritten. You require a route map in order to determine: which addresses will be NATed, which outside interface these addresses will be routed from and which NAT translation will occur.

For a proper NAT load balancing configuration with optimized edge routing, take a look at this Cisco support document: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/99427-ios-nat-2isp.html

I hope this has been helpful!

Laz

2 Likes

Hello Laz,

Yes you are right, but in this way instead of overwritten it will not accept the second statement and the message pop out with
%Dynamic mapping in use, cannot change
Thanks
Waqar

Hello Mohammad

Yes, in the case where you would get such an error message, the proper procedure would be to remove the previous NAT command and replace it. More info can be found here:

I hope this has been helpful!

Laz

1 Like

Hi Laz,
Yes its clear and thanks for the explanation.

//BR
Waqar

1 Like

Hi there, I have a question what to do if I have subinterfaces (Vlans) on inside site and there is no IP address for physical interface, just the default gateway for each Vlan. Thank you very much for the answer. That picture with subinterfaces (sh ip int brief) is from SoDR1. Thank you for any help :-).
image



Rob

Hello Robert

There is no problem with having no IP address on the physical inside interface. The subinterfaces configured as inside interfaces is what is required. The “inside” configuration of NAT must always be implemented on the interface which acts as the default gateway for that particular subnet, and in this case, it is the subinterfaces. Indeed, NAT wouldn’t work if you had applied it only to the physical interface, so your configuration is correct.

I hope this has been helpful!

Laz

1 Like

Hi Laz, ok I can ping the other interfaces 10.0.15.1 and 10.0.16.1 from the PCs and loopback also but I do not understand why I can not see translation and statistic tabla of NAT. Thanks

do sh ip nat stat

Robert

Hello Robert

It seems that your pings are just being routed and not being NAT’ed. This is why you don’t see any NAT translations. It is the access lists that are used to identify which traffic will be NAT’ed and which will not. Verify that your access lists are configured correctly and that the correct traffic is indeed being identified as NAT’able.

I hope this has been helpful!

Laz

1 Like

Hi Laz, I configured like this:

ip access-list extended STD_NAT
permit ip 192.168.10.0 0.0.0.255 any (all Inter Vlans of one site)

route-map SP1 permit 10
match int e1/0
match ip address STD_NAT

route-map SP2 permit 10
match ip address STD_NAT
match int e1/1

ip nat inside source route-map SP1 int e1/0 overload
ip nat inside source route-map SP2 int e1/1 overload

Robert

Hello Robert

The behaviour you describe indicates that routing and not NAT’ing is taking place, which means that traffic to be NAT’ed is not being identified. This has to do with the ACL and the route map that you configured.

At first glance, I don’t see anything wrong with your configuration. However, one thing I would suggest you try is use a standard access list instead of an extended one as some IOS versions don’t seem to like extended ACLs for this purpose. Try that out and let us know.

I hope this has been helpful!

Laz

1 Like

Hi guys,

I really dont get it. Depends where i ping from and the message for the ping that i get, the packet go for one route or another, this is right or i did something wrong?

NAT inside & Route map config

ip nat inside source route-map ISP1 interface Ethernet0/1 overload
ip nat inside source route-map ISP2 interface Ethernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip route 0.0.0.0 0.0.0.0 192.168.14.2
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
route-map ISP2 permit 10
 match ip address 1
 set interface Ethernet0/2
!
route-map ISP1 permit 10
 match ip address 1
 set interface Ethernet0/1

ip route output

NAT#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.14.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.14.2
                [1/0] via 192.168.12.2
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Ethernet0/0
L        192.168.10.2/32 is directly connected, Ethernet0/0
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Ethernet0/1
L        192.168.12.1/32 is directly connected, Ethernet0/1
      192.168.14.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.14.0/24 is directly connected, Ethernet0/2
L        192.168.14.1/32 is directly connected, Ethernet0/2

Thanks in advance.

Hello Gonzalo

Your NAT configuration looks correct. In the output of ISP1, you see an IP packet arriving from 192.168.12.1, which I understand to be E0/2 of the NAT router. So far so good. But ISP2 tries to respond to this ping from a local interface with an IP address 192.168.14.2 and this of course fails. It should actually try to respond from the local interface with an IP address of 192.168.12.1, which is the same interface it received the ping from. So there seems to be a routing problem on ISP2.

Also, ISP2 seems to have the 192.168.14.2 interface as a local interface which means that you’re using the same router as two different ISP routers? It should work, but you must configure the routing appropriately so that it responds from the correct interface.

Otherwise, your NAT configuration seems to be working correctly.

I hope this has been helpful!

Laz

1 Like

Hello Everyone, i have been trying to bring my NAT skills out of the vault of oblivion.

This is the scenario:

I haev a Host within the Boston Office that requires redundant internet access. to that end there is configuration supporting primary traffic path out of the firewall within the office. If that goes down, a tracking at NY12 level detects that and removes the static from the routing table to allow OSPF default route advertised by PE1 from VRF GREEN.
At that point, via PE1 then ingress interface Et0/3 on VRF GREEN belongs to a NAT inside with the proper outside interface being Et0/2. Have the proper VRF aware static route with global command on it and the global static route pointing out to IGM Et0/0 (another ip nat inside).
I would like to extend this redundancy further via the MPLS network but so fat i havent succeed getting this to work.
I have tried NAT over GRE as Nat outside on PE1 / inside on PE2, generating new loopbacks to also act as inside / outside NAT + Route map for PBR to redirect the traffic to loopbacks. PE2 does not Participate on VRF GREEN by desing so i would prefer to keep it that way. I could re desing the entire solution to just be VPNV4 all the way and manage import and export RTs, etc, but i got stuck here and would like to complete it using NAT if possible for the sake of the challenge.
Thank you in advance for your comments.