[c-nsp] NAT problem on ISR 4331
Nick Cutting
ncutting at edgetg.co.uk
Mon Mar 14 13:17:26 EDT 2016
I often use setups like this - I image the cloud based filtering service needs different IP addresses to differentiate?
Is your below config using the single public address in the internet VRF table for internet access?
Why not use another address (or two different ones) for the NAT to the other vrf's? IS it that you do not want to burn extra addresses?
Use the built in monitor capture feature to see what is happening - then export to wireshark using ftp/tftp, it works well on the 44xx series
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eugen Serban
Sent: 14 March 2016 15:08
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT problem on ISR 4331
Hello guys,
I have an ISR 4331 that i'm using for guest and hotspot traffic. For each network (guest and hotspot) I have created a VRF so I have a proper separation between them. Also, I have another VRF for the internet interface. Like this, I'm sure nobody is going to mess-up access lists. The guest and hotspot traffic then uses gre tunnels to a cloud service that does proxy and blocks illegal sites (it's a legal requirement).
Then I have two exceptions (to the some outside servers that do DNS also) that are outside of the tunnels. My problem is that each traffic (guest and
hotspot) need to present a different IP address. I have a public /29 and I thought about doing as bellow, but the DNS does not work. If I ping the servers, it works fine and I know the routing works also.
show ip nat translations looks ok, but I still don't receive the DNS response. The router is directly connected to the internet as are the clients (the ISR is the DHCP server and gateway for both).
If instead of pools I use the interface (ex: ip nat inside source list Guest2Internet interface Gi0/0/2 vrf guest overload) everything works. The problem with this is that both networks will have the same public IP address.
Have you guys encountered something similar?
Regards,
Eugen
I am using 15.5(3)S2
ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation dns-timeout 60
no ip nat service all-algs
no ip nat service dns-reset-ttl
!
ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip nat pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248 !
ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot overload !
ip access-list extended Guest2Internet
permit ip 172.16.112.0 0.0.1.255 host 14.22.77.29 permit ip 172.16.112.0 0.0.1.255 host 18.33.25.41 ip access-list extended Hotspot2Internet permit ip 172.16.32.0 0.0.1.255 host 14.22.77.29 permit ip 172.16.32.0 0.0.1.255 host 18.33.25.41 !
interface GigabitEthernet0/0/1.121
description Hotspot Vlan
encapsulation dot1Q 121
ip vrf forwarding hotspot
ip address 172.16.32.1 255.255.254.0
ip nat inside
no cdp enable
arp timeout 300
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.122
description Guest Vlan
encapsulation dot1Q 122
ip vrf forwarding guest
ip address 172.16.112.1 255.255.254.0
ip nat inside
no cdp enable
arp timeout 300
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description WAN interface 1
ip vrf forwarding internet
ip address 1.2.3.91 255.255.255.248 secondary ip address 1.2.3.92 255.255.255.248 secondary ip address 1.2.3.90 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip verify unicast reverse-path 100 negotiation auto no cdp enable arp timeout 300 ip virtual-reassembly !
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list