[c-nsp] NAT problem on ISR 4331
Eugen Şerban
eugen.shr at gmail.com
Wed Mar 16 07:16:35 EDT 2016
Hello,
I tried to implement the NVI, but according to cisco: NAT Virtual
Interfaces (NVIs) are not supported in the Cisco IOS XE software.
I cannot put the guest and the internet in the same VRF. As you can see
from the routing tables, the default route for both guest and hotspot is in
a separate tunnel (400 for guest and 600 for hotspot). If I put them in the
internet VRF I'd have to implement PBR, which I don't.
>From your configuration, I can see that you also have the internet in a
different VRF (not the global).
Just to recap, everything works if I create the nat per interface, but it
doesn't work if the nat is per pool.
This works:
ip nat inside source list Guest2Internet interface gi 0/0/2 vrf guest
overload
This does not work:
ip nat pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248
ip nat inside source list Guest2Internet pool GuestNAT vrf guest overload
2016-03-16 11:54 GMT+01:00 Nick Cutting <ncutting at edgetg.co.uk>:
> Sorry Global table... not global vrf
>
> Also - you may get more options using the NVI rather than ip nat inside /
> outside when the internet is in a vrf - but less when the internet is in
> the global table is involved. I cannot remember the specifics - but stick
> to this rule.
>
> This is on a router with ADSL default route in a VRF, and the guest wifi
> in the same VRF
>
> interface GigabitEthernet0/0.201
> ip nat enable
>
> ip nat source list GUEST-WIFI-NAT interface GigabitEthernet0/0.201 vrf
> ADSL overload
>
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Nick Cutting
> Sent: 16 March 2016 10:37
> To: Eugen Şerban; cnsp at marenda.net
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] NAT problem on ISR 4331
>
> These routers are much closer to ASR than ISR - they have the same feature
> set. - e.g. VASI interfaces etc.
>
> Juergen is right about the global VRF - that is where I keep the internet
> (default route), when implementing similar designs
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Eugen Serban
> Sent: 16 March 2016 09:36
> To: cnsp at marenda.net
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] NAT problem on ISR 4331
>
> Hello Juergen,
>
> Please find bellow the routing table for all VRFs.
>
> The idea with this router is that in the future it might be used for
> "hybrid networks", "local internet breakout" (or however you'd like to call
> it). So we plan to use the default VRF for internal (trusted) traffic.
>
> hostname#sh ip route
> [...]
>
> Gateway of last resort is not set
>
> 192.168.0.0/16 is variably subnetted, 3 subnets, 3 masks
> S 192.168.0.0/16 [1/0] via 192.168.37.1
> C 192.168.37.0/26 is directly connected, GigabitEthernet0/0/1.1
> L 192.168.37.56/32 is directly connected, GigabitEthernet0/0/1.1
>
> hostname#sh ip route vrf internet
>
> Routing Table: internet
> [...]
>
> Gateway of last resort is 1.2.3.89 to network 0.0.0.0
>
> S* 0.0.0.0/0 [1/0] via 1.2.3.89, GigabitEthernet0/0/2
> 1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
> C 1.2.3.88/29 is directly connected, GigabitEthernet0/0/2
> L 1.2.3.90/32 is directly connected, GigabitEthernet0/0/2
> L 1.2.3.91/32 is directly connected, GigabitEthernet0/0/2
> L 1.2.3.92/32 is directly connected, GigabitEthernet0/0/2
> 14.0.0.0/32 is subnetted, 1 subnets
> S 14.22.77.29 [1/0] via 1.2.3.89, GigabitEthernet0/0/2
> 18.0.0.0/32 is subnetted, 1 subnets
> S 18.33.25.41 [1/0] via 1.2.3.89, GigabitEthernet0/0/2
>
> hostname#sh ip route vrf guest
>
> Routing Table: guest
> [...]
>
> Gateway of last resort is 0.0.0.0 to network 0.0.0.0
>
> S* 0.0.0.0/0 is directly connected, Tunnel400
> 14.0.0.0/32 is subnetted, 1 subnets
> B 14.22.77.29
> [20/0] via 1.2.3.89 (internet), 6d22h, GigabitEthernet0/0/2
> 18.0.0.0/32 is subnetted, 1 subnets
> B 18.33.25.41
> [20/0] via 1.2.3.89 (internet), 6d22h, GigabitEthernet0/0/2
> 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
> C 172.16.112.0/23 is directly connected, GigabitEthernet0/0/1.122
> L 172.16.112.1/32 is directly connected, GigabitEthernet0/0/1.122
>
>
> hostname#sh ip route vrf hotspot
>
> Routing Table: hotspot
> [...]
>
> Gateway of last resort is 0.0.0.0 to network 0.0.0.0
>
> S* 0.0.0.0/0 is directly connected, Tunnel600
> 14.0.0.0/32 is subnetted, 1 subnets
> B 14.22.77.29
> [20/0] via 1.2.3.89 (internet), 6d22h, GigabitEthernet0/0/2
> 18.0.0.0/32 is subnetted, 1 subnets
> B 18.33.25.41
> [20/0] via 1.2.3.89 (internet), 6d22h, GigabitEthernet0/0/2
> 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
> C 172.16.32.0/23 is directly connected, GigabitEthernet0/0/1.121
> L 172.16.32.1/32 is directly connected, GigabitEthernet0/0/1.121
>
>
>
> 2016-03-15 19:58 GMT+01:00 Juergen Marenda <cnsp at marenda.net>:
>
> > Hi,
> >
> > First of all, your routing statements would be from interest...
> > For All mentioned VRFs and global, please.
> >
> > From my experience eith ISR1 Routers,
> > "surf" nat outside interface almost always had to be the global vrf,
> > not "vrf internet" ; and you must pin the inside vrf's (default-)route
> > to the global (default-)gateway.
> > (here, host-routes to your two special's should be sufficient)
> >
> > Finally I would tend to write " no ip virtual-reassembly " on nearly
> > every Interface to disable that miss-feature.
> >
> > Hope this help's,
> >
> > Juergen.
> >
> > -----Ursprüngliche Nachricht-----
> > Von: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag
> > von Eugen Serban
> > Gesendet: Dienstag, 15. März 2016 16:23
> > An: Nick Cutting
> > Cc: cisco-nsp at puck.nether.net
> > Betreff: Re: [c-nsp] NAT problem on ISR 4331
> >
> > Hello Nick,
> >
> > Thank you for the hint with monitor capture. I will try that one.
> >
> > to answer your questions, yes, it's because I need to present a
> > different IP for each VRF.
> >
> > I am trying to use two different IPs for the NAT (we pay for them, so
> > we might just use them), please see the conf.
> >
> >
> > ip nat translation timeout 60
> > ip nat translation tcp-timeout 60
> > ip nat translation udp-timeout 60
> > ip nat translation dns-timeout 60
> > no ip nat service all-algs
> > no ip nat service dns-reset-ttl
> > !
> > ip nat pool HotspotNAT 1.2.3.92 1.2.3.92 netmask 255.255.255.248 ip
> > nat pool GuestNAT 1.2.3.91 1.2.3.91 netmask 255.255.255.248 !
> > ip nat inside source list Guest2Internet pool GuestNAT vrf guest
> > overload ip nat inside source list Hotspot2Internet pool HotspotNAT
> > vrf hotspot overload !
> > ip access-list extended Guest2Internet permit ip 172.16.112.0
> > 0.0.1.255 host 14.22.77.29 permit ip 172.16.112.0 0.0.1.255 host
> > 18.33.25.41 ip access-list extended Hotspot2Internet
> > permit ip 172.16.32.0 0.0.1.255 host 14.22.77.29
> > permit ip 172.16.32.0 0.0.1.255 host 18.33.25.41 !
> > interface GigabitEthernet0/0/1.121
> > description Hotspot Vlan
> > encapsulation dot1Q 121
> > ip vrf forwarding hotspot
> > ip address 172.16.32.1 255.255.254.0
> > ip nat inside
> > no cdp enable
> > arp timeout 300
> > ip virtual-reassembly
> > !
> > interface GigabitEthernet0/0/1.122
> > description Guest Vlan
> > encapsulation dot1Q 122
> > ip vrf forwarding guest
> > ip address 172.16.112.1 255.255.254.0 ip nat inside no cdp enable
> > arp timeout 300 ip virtual-reassembly !
> > interface GigabitEthernet0/0/2
> > description WAN interface 1
> > ip vrf forwarding internet
> > ip address 1.2.3.91 255.255.255.248 secondary ip address 1.2.3.92
> > 255.255.255.248 secondary ip address 1.2.3.90 255.255.255.248 no ip
> > redirects no ip unreachables no ip proxy-arp ip nat outside ip
> > verify unicast reverse-path 100 negotiation auto no cdp enable arp
> > timeout 300 ip virtual-reassembly !
> > [...]
> >
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list