[c-nsp] NAT problem on ISR 4331

Eugen Şerban eugen.shr at gmail.com
Tue Mar 15 11:23:12 EDT 2016


Hello Nick,

Thank you for the hint with monitor capture. I will try that one.

to answer your questions, yes, it's because I need to present a different
IP for each VRF.

I am trying to use two different IPs for the NAT (we pay for them, so we
might just use them), please see the conf.


ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation dns-timeout 60
no ip nat service all-algs
no ip nat service dns-reset-ttl
!
ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip nat
pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248
!
ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload
ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot
overload
!
ip access-list extended Guest2Internet
 permit ip 172.16.112.0 0.0.1.255 host 14.22.77.29
 permit ip 172.16.112.0 0.0.1.255 host 18.33.25.41
ip access-list extended Hotspot2Internet
  permit ip 172.16.32.0 0.0.1.255 host 14.22.77.29
  permit ip 172.16.32.0 0.0.1.255 host 18.33.25.41
!
interface GigabitEthernet0/0/1.121
 description Hotspot Vlan
 encapsulation dot1Q 121
 ip vrf forwarding hotspot
 ip address 172.16.32.1 255.255.254.0
 ip nat inside
 no cdp enable
 arp timeout 300
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.122
 description Guest Vlan
 encapsulation dot1Q 122
 ip vrf forwarding guest
 ip address 172.16.112.1 255.255.254.0
 ip nat inside
 no cdp enable
 arp timeout 300
 ip virtual-reassembly
!
interface GigabitEthernet0/0/2
 description WAN interface 1
 ip vrf forwarding internet
 ip address 1.2.3.91 255.255.255.248 secondary
 ip address 1.2.3.92 255.255.255.248 secondary
 ip address 1.2.3.90 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path 100
 negotiation auto
 no cdp enable
 arp timeout 300
 ip virtual-reassembly
!


2016-03-14 18:17 GMT+01:00 Nick Cutting <ncutting at edgetg.co.uk>:

> I often use setups like this - I image the cloud based filtering service
> needs different IP addresses to differentiate?
>
> Is your below config using the single public address in the internet VRF
> table for internet access?
>
> Why not use another address (or two different ones) for the NAT to the
> other vrf's? IS it that you do not want to burn extra addresses?
>
> Use the built in monitor capture feature to see what is happening - then
> export to wireshark using ftp/tftp, it works well on the 44xx series
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Eugen Serban
> Sent: 14 March 2016 15:08
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT problem on ISR 4331
>
> Hello guys,
>
> I have an ISR 4331 that i'm using for guest and hotspot traffic. For each
> network (guest and hotspot) I have created a VRF so I have a proper
> separation between them. Also, I have another VRF for the internet
> interface. Like this, I'm sure nobody is going to mess-up access lists. The
> guest and hotspot traffic then uses gre tunnels to a cloud service that
> does proxy and blocks illegal sites (it's a legal requirement).
>
> Then I have two exceptions (to the some outside servers that do DNS also)
> that are outside of the tunnels. My problem is that each traffic (guest and
> hotspot) need to present a different IP address. I have a public /29 and I
> thought about doing as bellow, but the DNS does not work. If I ping the
> servers, it works fine and I know the routing works also.
>
> show ip nat translations looks ok, but I still don't receive the DNS
> response. The router is directly connected to the internet as are the
> clients (the ISR is the DHCP server and gateway for both).
>
> If instead of pools I use the interface (ex: ip nat inside source list
> Guest2Internet interface Gi0/0/2 vrf guest overload) everything works. The
> problem with this is that both networks will have the same public IP
> address.
>
> Have you guys encountered something similar?
>
> Regards,
> Eugen
>
>
>
> I am using 15.5(3)S2
>
> ip nat translation timeout 60
> ip nat translation tcp-timeout 60
> ip nat translation udp-timeout 60
> ip nat translation dns-timeout 60
> no ip nat service all-algs
> no ip nat service dns-reset-ttl
> !
> ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip nat
> pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248 !
> ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload
> ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot
> overload !
> ip access-list extended Guest2Internet
>  permit ip 172.16.112.0 0.0.1.255 host 14.22.77.29  permit ip 172.16.112.0
> 0.0.1.255 host 18.33.25.41 ip access-list extended Hotspot2Internet  permit
> ip 172.16.32.0 0.0.1.255 host 14.22.77.29  permit ip 172.16.32.0 0.0.1.255
> host 18.33.25.41 !
> interface GigabitEthernet0/0/1.121
>  description Hotspot Vlan
>  encapsulation dot1Q 121
>  ip vrf forwarding hotspot
>  ip address 172.16.32.1 255.255.254.0
>  ip nat inside
>  no cdp enable
>  arp timeout 300
>  ip virtual-reassembly
> !
> interface GigabitEthernet0/0/1.122
>  description Guest Vlan
>  encapsulation dot1Q 122
>  ip vrf forwarding guest
>  ip address 172.16.112.1 255.255.254.0
>  ip nat inside
>  no cdp enable
>  arp timeout 300
>  ip virtual-reassembly
> !
> interface GigabitEthernet0/0/2
>  description WAN interface 1
>  ip vrf forwarding internet
>  ip address 1.2.3.91 255.255.255.248 secondary  ip address 1.2.3.92
> 255.255.255.248 secondary  ip address 1.2.3.90 255.255.255.248  no ip
> redirects  no ip unreachables  no ip proxy-arp  ip nat outside  ip verify
> unicast reverse-path 100  negotiation auto  no cdp enable  arp timeout 300
> ip virtual-reassembly !
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list