[c-nsp] NAT on a small number of IPs

[Charles Sprickman]

Hello all,

I have an odd/hackish situation.  We have some gear that is currently numbered out of private IP space inside our network.  Due to the manufacturer moving to a “cloud management” platform, these devices now need access to the internet.  I need to test this on a few units so I don’t want to do anything particularly radical.

This is a very small network - one ASR-1002-X with two upstreams, then eveything else is metro-e out to smaller POPs with 3550’s.  The devices live behind the 3550’s.

In perusing this link (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/asr1000/nat-xe-3s-asr1k-book/iadnat-addr-consv.html), I see they do not recommend using the “ip nat inside” interface config on any interface that has non-NAT traffic.  So in theory, something like this might work, but it’s not recommended:

ip nat pool net-out 4.2.2.x netmask 255.255.255.255
access-list 1 permit 192.168.4.31 0.0.0.0
access-list 1 permit 192.168.4.39 0.0.0.0
access-list 1 permit 192.168.4.22 0.0.0.0
ip nat inside source list 1 pool net-out overload
interface gigabitethernet 1/1/1.111
 encapsulation dot1q 111
 ip address 216.220.x.x 255.255.255.252
 ip nat inside
!
interface gigabitethernet 0/0/0
 ip address 4.2.2.x 255.255.255.252
 ip nat outside
!

That would setup translation on the 3 testing IPs, and presumably not touch anything else.

But the idea of setting NAT on two interfaces that have actual customer traffic (at about 400Mb/s outside, 300Mb/s inside) is unsettling.

I do need to verify - the metro-e provider may support QinQ on the NNI and tail circuits, but no guarantees.  If they do, I might be able to shove this management traffic into another vlan, and from there perhaps get that in a VRF where I can do NAT.  I think…  never touched VRFs before.

Any crazy ideas?

Thanks,

Charles

-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net
spork at bway.net - 212.655.9344