[c-nsp] NAT problem on ISR 4331
Eugen Şerban
eugen.shr at gmail.com
Tue Mar 15 11:23:12 EDT 2016
Hello Nick,
Thank you for the hint with monitor capture. I will try that one.
to answer your questions, yes, it's because I need to present a different
IP for each VRF.
I am trying to use two different IPs for the NAT (we pay for them, so we
might just use them), please see the conf.
ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation dns-timeout 60
no ip nat service all-algs
no ip nat service dns-reset-ttl
!
ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip nat
pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248
!
ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload
ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot
overload
!
ip access-list extended Guest2Internet
permit ip 172.16.112.0 0.0.1.255 host 14.22.77.29
permit ip 172.16.112.0 0.0.1.255 host 18.33.25.41
ip access-list extended Hotspot2Internet
permit ip 172.16.32.0 0.0.1.255 host 14.22.77.29
permit ip 172.16.32.0 0.0.1.255 host 18.33.25.41
!
interface GigabitEthernet0/0/1.121
description Hotspot Vlan
encapsulation dot1Q 121
ip vrf forwarding hotspot
ip address 172.16.32.1 255.255.254.0
ip nat inside
no cdp enable
arp timeout 300
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.122
description Guest Vlan
encapsulation dot1Q 122
ip vrf forwarding guest
ip address 172.16.112.1 255.255.254.0
ip nat inside
no cdp enable
arp timeout 300
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description WAN interface 1
ip vrf forwarding internet
ip address 1.2.3.91 255.255.255.248 secondary
ip address 1.2.3.92 255.255.255.248 secondary
ip address 1.2.3.90 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path 100
negotiation auto
no cdp enable
arp timeout 300
ip virtual-reassembly
!
2016-03-14 18:17 GMT+01:00 Nick Cutting <ncutting at edgetg.co.uk>:
> I often use setups like this - I image the cloud based filtering service
> needs different IP addresses to differentiate?
>
> Is your below config using the single public address in the internet VRF
> table for internet access?
>
> Why not use another address (or two different ones) for the NAT to the
> other vrf's? IS it that you do not want to burn extra addresses?
>
> Use the built in monitor capture feature to see what is happening - then
> export to wireshark using ftp/tftp, it works well on the 44xx series
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Eugen Serban
> Sent: 14 March 2016 15:08
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT problem on ISR 4331
>
> Hello guys,
>
> I have an ISR 4331 that i'm using for guest and hotspot traffic. For each
> network (guest and hotspot) I have created a VRF so I have a proper
> separation between them. Also, I have another VRF for the internet
> interface. Like this, I'm sure nobody is going to mess-up access lists. The
> guest and hotspot traffic then uses gre tunnels to a cloud service that
> does proxy and blocks illegal sites (it's a legal requirement).
>
> Then I have two exceptions (to the some outside servers that do DNS also)
> that are outside of the tunnels. My problem is that each traffic (guest and
> hotspot) need to present a different IP address. I have a public /29 and I
> thought about doing as bellow, but the DNS does not work. If I ping the
> servers, it works fine and I know the routing works also.
>
> show ip nat translations looks ok, but I still don't receive the DNS
> response. The router is directly connected to the internet as are the
> clients (the ISR is the DHCP server and gateway for both).
>
> If instead of pools I use the interface (ex: ip nat inside source list
> Guest2Internet interface Gi0/0/2 vrf guest overload) everything works. The
> problem with this is that both networks will have the same public IP
> address.
>
> Have you guys encountered something similar?
>
> Regards,
> Eugen
>
>
>
> I am using 15.5(3)S2
>
> ip nat translation timeout 60
> ip nat translation tcp-timeout 60
> ip nat translation udp-timeout 60
> ip nat translation dns-timeout 60
> no ip nat service all-algs
> no ip nat service dns-reset-ttl
> !
> ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip nat
> pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248 !
> ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload
> ip nat inside source list Hotspot2Internet pool HotspotNAT vrf hotspot
> overload !
> ip access-list extended Guest2Internet
> permit ip 172.16.112.0 0.0.1.255 host 14.22.77.29 permit ip 172.16.112.0
> 0.0.1.255 host 18.33.25.41 ip access-list extended Hotspot2Internet permit
> ip 172.16.32.0 0.0.1.255 host 14.22.77.29 permit ip 172.16.32.0 0.0.1.255
> host 18.33.25.41 !
> interface GigabitEthernet0/0/1.121
> description Hotspot Vlan
> encapsulation dot1Q 121
> ip vrf forwarding hotspot
> ip address 172.16.32.1 255.255.254.0
> ip nat inside
> no cdp enable
> arp timeout 300
> ip virtual-reassembly
> !
> interface GigabitEthernet0/0/1.122
> description Guest Vlan
> encapsulation dot1Q 122
> ip vrf forwarding guest
> ip address 172.16.112.1 255.255.254.0
> ip nat inside
> no cdp enable
> arp timeout 300
> ip virtual-reassembly
> !
> interface GigabitEthernet0/0/2
> description WAN interface 1
> ip vrf forwarding internet
> ip address 1.2.3.91 255.255.255.248 secondary ip address 1.2.3.92
> 255.255.255.248 secondary ip address 1.2.3.90 255.255.255.248 no ip
> redirects no ip unreachables no ip proxy-arp ip nat outside ip verify
> unicast reverse-path 100 negotiation auto no cdp enable arp timeout 300
> ip virtual-reassembly !
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list