NAT with two outside interfaces

Hello Laz,

Yes you are right, but in this way instead of overwritten it will not accept the second statement and the message pop out with
%Dynamic mapping in use, cannot change
Thanks
Waqar

Hello Mohammad

Yes, in the case where you would get such an error message, the proper procedure would be to remove the previous NAT command and replace it. More info can be found here:

I hope this has been helpful!

Laz

1 Like

Hi Laz,
Yes its clear and thanks for the explanation.

//BR
Waqar

1 Like

Hi there, I have a question what to do if I have subinterfaces (Vlans) on inside site and there is no IP address for physical interface, just the default gateway for each Vlan. Thank you very much for the answer. That picture with subinterfaces (sh ip int brief) is from SoDR1. Thank you for any help :-).
image



Rob

Hello Robert

There is no problem with having no IP address on the physical inside interface. The subinterfaces configured as inside interfaces is what is required. The “inside” configuration of NAT must always be implemented on the interface which acts as the default gateway for that particular subnet, and in this case, it is the subinterfaces. Indeed, NAT wouldn’t work if you had applied it only to the physical interface, so your configuration is correct.

I hope this has been helpful!

Laz

1 Like

Hi Laz, ok I can ping the other interfaces 10.0.15.1 and 10.0.16.1 from the PCs and loopback also but I do not understand why I can not see translation and statistic tabla of NAT. Thanks

do sh ip nat stat

Robert

Hello Robert

It seems that your pings are just being routed and not being NAT’ed. This is why you don’t see any NAT translations. It is the access lists that are used to identify which traffic will be NAT’ed and which will not. Verify that your access lists are configured correctly and that the correct traffic is indeed being identified as NAT’able.

I hope this has been helpful!

Laz

1 Like

Hi Laz, I configured like this:

ip access-list extended STD_NAT
permit ip 192.168.10.0 0.0.0.255 any (all Inter Vlans of one site)

route-map SP1 permit 10
match int e1/0
match ip address STD_NAT

route-map SP2 permit 10
match ip address STD_NAT
match int e1/1

ip nat inside source route-map SP1 int e1/0 overload
ip nat inside source route-map SP2 int e1/1 overload

Robert

Hello Robert

The behaviour you describe indicates that routing and not NAT’ing is taking place, which means that traffic to be NAT’ed is not being identified. This has to do with the ACL and the route map that you configured.

At first glance, I don’t see anything wrong with your configuration. However, one thing I would suggest you try is use a standard access list instead of an extended one as some IOS versions don’t seem to like extended ACLs for this purpose. Try that out and let us know.

I hope this has been helpful!

Laz

1 Like

Hi guys,

I really dont get it. Depends where i ping from and the message for the ping that i get, the packet go for one route or another, this is right or i did something wrong?

NAT inside & Route map config

ip nat inside source route-map ISP1 interface Ethernet0/1 overload
ip nat inside source route-map ISP2 interface Ethernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip route 0.0.0.0 0.0.0.0 192.168.14.2
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
route-map ISP2 permit 10
 match ip address 1
 set interface Ethernet0/2
!
route-map ISP1 permit 10
 match ip address 1
 set interface Ethernet0/1

ip route output

NAT#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.14.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.14.2
                [1/0] via 192.168.12.2
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Ethernet0/0
L        192.168.10.2/32 is directly connected, Ethernet0/0
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Ethernet0/1
L        192.168.12.1/32 is directly connected, Ethernet0/1
      192.168.14.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.14.0/24 is directly connected, Ethernet0/2
L        192.168.14.1/32 is directly connected, Ethernet0/2

Thanks in advance.

Hello Gonzalo

Your NAT configuration looks correct. In the output of ISP1, you see an IP packet arriving from 192.168.12.1, which I understand to be E0/2 of the NAT router. So far so good. But ISP2 tries to respond to this ping from a local interface with an IP address 192.168.14.2 and this of course fails. It should actually try to respond from the local interface with an IP address of 192.168.12.1, which is the same interface it received the ping from. So there seems to be a routing problem on ISP2.

Also, ISP2 seems to have the 192.168.14.2 interface as a local interface which means that you’re using the same router as two different ISP routers? It should work, but you must configure the routing appropriately so that it responds from the correct interface.

Otherwise, your NAT configuration seems to be working correctly.

I hope this has been helpful!

Laz

1 Like

Hello Everyone, i have been trying to bring my NAT skills out of the vault of oblivion.

This is the scenario:

I haev a Host within the Boston Office that requires redundant internet access. to that end there is configuration supporting primary traffic path out of the firewall within the office. If that goes down, a tracking at NY12 level detects that and removes the static from the routing table to allow OSPF default route advertised by PE1 from VRF GREEN.
At that point, via PE1 then ingress interface Et0/3 on VRF GREEN belongs to a NAT inside with the proper outside interface being Et0/2. Have the proper VRF aware static route with global command on it and the global static route pointing out to IGM Et0/0 (another ip nat inside).
I would like to extend this redundancy further via the MPLS network but so fat i havent succeed getting this to work.
I have tried NAT over GRE as Nat outside on PE1 / inside on PE2, generating new loopbacks to also act as inside / outside NAT + Route map for PBR to redirect the traffic to loopbacks. PE2 does not Participate on VRF GREEN by desing so i would prefer to keep it that way. I could re desing the entire solution to just be VPNV4 all the way and manage import and export RTs, etc, but i got stuck here and would like to complete it using NAT if possible for the sake of the challenge.
Thank you in advance for your comments.

Hello Sing

Thanks for the details you included with your question. I don’t have a complete solution for you, but I can suggest some ways of helping to troubleshoot the problem.

I guess the first question is, how is your topology failing? If I understood correctly, the path NY12 -->PE1–>IGW–>ISP is working correctly, right? But you want to introduce an additional alternate path in case the connection between PE1 and IGW fails, and you want to route traffic through the MPLS network to PE2 and then to IGW…

So in PE1, when the path to IGW fails, what do you see in the PE1 device? How is it failing for each of your attempted solutions? One of the things that is helpful to remember in your particular case is the order of operations for NAT. This will play a fundamental role in how and when routing is actually employed and will affect the behavior of your network.

If this were a production network, I would do as you suggest and redesign it so that you remove some of the complexity by using only VPNv4 all the way.

Let us know some more info and we’ll do our best to help you out.

I hope this has been helpful!

Laz

Will this solution work in VRFs by adding the “vrf” keyword to the ip nat inside command or would you also need to use the match-in-vrf config as well? We need to deploy this solution using a single “external” VRF but it’s not clear to me whether we need to use match-in-vrf if we are NOT trying to use duplicate subnets in multiple VRFs.

The reason I’m asking about the match-in-vrf piece is because we’re trying to use interface overloading to set the NAT outside IP to the interface IP itself. However, when using match-in-vrf, one of the restrictions is that you cannot configure interface overloading and instead need to use another IP in the same subnet as the outside interface.

Hello William

NAT, by default on most modern Cisco platforms, is VRF-aware. This means that NAT is able to translate between local addresses in multiple VRFs and global address spaces. When this is done, you must specify VRF that your particular NAT translation is taking place in. Because IP addresses of the inside hosts may overlap with each other, when they are translated using VRF-aware NAT, communication between these hosts can take place because overlapped inside IP addresses are translated to globally unique addresses. That describes how NAT operates simply with the vrf keyword.

Now what match-in-vrf does is it extends VRF-aware NAT by supporting intra-VPN NAT, which means NAT translations can take place between two hosts within the same VRF instance. So essentially, when you use the match-in-vrf keyword, you are translating between two address spaces within the same VRF.

Based on what you described in your post, you want to NAT translate between two different VRFs, therefore you won’t need the match-in-vrf keyword.

More info about this feature can be found here:

Note also that all NAT commands that support VRF support the match-in-vrf keyword. Because NAT outside rules such as the ip nat outside source command support the match-in-VRF functionality by default, the match-in-vrf keyword is not supported by NAT outside rules.

I hope this has been helpful!

Laz

Thank you very much for this explanation. I previously read that document you provided on match-in-vrf but your explanation was much more clear than the document. We will proceed with configuring NAT with vrf-awareness but will forgo using the match-in-vrf, as all of our NAT communications will be occurring as we leave our network toward the internet.

Thanks again.

1 Like

lets say I ping 8.8.8.8, it works on both interfaces, however when I ping with a source
ping 8.8.8.8 source vlan 1 it doenst work, so there is a problem with nating

I have configured router for wan and cellular failover and everything seems to work fine, however becuase of these commands, it doenst work properly.

NAT(config)#ip nat inside source route-map ISP1 int fa 0/1 overload  
NAT(config)#ip nat inside source route-map ISP2 int fa 1/0 overload 

once you change it to a standard one
ip nat inside source list 1 interface gi0/0 overload all is working fine, but I lost failover.

is there a way to make it work ?

Hello Maksym

Hmm, that’s interesting. You say that you changed the source of the ping to VLAN 1, however, where is the switch in this case? Are you applying the NAT config to a layer 3 switch and attempting to ping from VLAN1? Please give us some more information about your particular toplogy, so that we can help you further.

I hope this has been helpful!

Laz

There is no switch. just a router
just using the local vlan1(the only vlan configured on the router)
also PCs that are directly connected to the router cannot browse the internet

Hello Maksym

Based on your description, it looks like you have a good approach to the requirements, however, you should keep the following in mind:

  1. From my understanding, you want all traffic to go out the WAN connection, and the cellular connection should only be used as a backup, right? If that is the case, then you will need a mechanism to do this switchover whenever a failure in the WAN is detected. This can be achieved using an IP SLA similar to the following lesson:
  1. Even with the IP SLA, since you are using NAT you must configure NAT for two external interfaces, as you have done. In order to determine the possible problems in your config, we would need to see more of your configuration and your topology including the route maps as well as any ACLs you’ve configured, and the internal subnets that are being translated. You may also find it helpful to issue some of the debug commands as shown in the lesson to see if the problem is due to translation.

Just one more note concerning our conversation. Routers don’t have VLANs, but switches do. That’s why when you mentioned VLAN1, I assumed a switch was involved. The only situation in which you may have VLANs configured is in a “router on a stick” topology, and even then, you’re not really creating VLANs, but just subinterfaces on different subnets.

Let us know some more info so we can help you further in your troubleshooting.

I hope this has been helpful!

Laz