[c-nsp] NAT problem on ISR 4331

Nick Cutting ncutting at edgetg.co.uk
Mon Mar 14 13:17:26 EDT 2016

I often use setups like this - I image the cloud based filtering service needs different IP addresses to differentiate?

Is your below config using the single public address in the internet VRF table for internet access?

Why not use another address (or two different ones) for the NAT to the other vrf's? IS it that you do not want to burn extra addresses?

Use the built in monitor capture feature to see what is happening - then export to wireshark using ftp/tftp, it works well on the 44xx series

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eugen Serban
Sent: 14 March 2016 15:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT problem on ISR 4331

Hello guys,

I have an ISR 4331 that i'm using for guest and hotspot traffic. For each network (guest and hotspot) I have created a VRF so I have a proper separation between them. Also, I have another VRF for the internet interface. Like this, I'm sure nobody is going to mess-up access lists. The guest and hotspot traffic then uses gre tunnels to a cloud service that does proxy and blocks illegal sites (it's a legal requirement).

Then I have two exceptions (to the some outside servers that do DNS also) that are outside of the tunnels. My problem is that each traffic (guest and
hotspot) need to present a different IP address. I have a public /29 and I thought about doing as bellow, but the DNS does not work. If I ping the servers, it works fine and I know the routing works also.

show ip nat translations looks ok, but I still don't receive the DNS response. The router is directly connected to the internet as are the clients (the ISR is the DHCP server and gateway for both).

If instead of pools I use the interface (ex: ip nat inside source list Guest2Internet interface Gi0/0/2 vrf guest overload) everything works. The problem with this is that both networks will have the same public IP address.

Have you guys encountered something similar?


I am using 15.5(3)S2

ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation dns-timeout 60
no ip nat service all-algs
no ip nat service dns-reset-ttl
ip nat pool HotspotNAT netmask ip nat pool GuestNAT netmask !
ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot overload !
ip access-list extended Guest2Internet
 permit ip host  permit ip host ip access-list extended Hotspot2Internet  permit ip host  permit ip host !
interface GigabitEthernet0/0/1.121
 description Hotspot Vlan
 encapsulation dot1Q 121
 ip vrf forwarding hotspot
 ip address
 ip nat inside
 no cdp enable
 arp timeout 300
 ip virtual-reassembly
interface GigabitEthernet0/0/1.122
 description Guest Vlan
 encapsulation dot1Q 122
 ip vrf forwarding guest
 ip address
 ip nat inside
 no cdp enable
 arp timeout 300
 ip virtual-reassembly
interface GigabitEthernet0/0/2
 description WAN interface 1
 ip vrf forwarding internet
 ip address secondary  ip address secondary  ip address  no ip redirects  no ip unreachables  no ip proxy-arp  ip nat outside  ip verify unicast reverse-path 100  negotiation auto  no cdp enable  arp timeout 300  ip virtual-reassembly !
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list