Search This Blog

Thursday, January 10, 2013

NAT on Cisco IOS-XE



First time I came to configure NAT/PAT on newly installed ASR-1002 I had a surprise! The ASR-1k routers runs Cisco IOS XE version which has a little changes comparing to the regular IOS, one of them is the way it treats NAT.

Here is a link to Cisco IOS-XE NAT configuration guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book.pdf

Two important notes from the restrictions section:

-          NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.

-          Using the physical interface address of a device as an address pool is not supported. NAT can share the physical interface address of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

Now let me explain the result of these notes with the following topology:


Currently with those NAT restrictions we can’t just configure NAT as follows:

interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip access-list extended 100
permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source list 100 interface ge0/0/1 overload

 This configuration won’t work; on an ASR router you can use the IP address of the outside interface for router access or for LAN NAT purpose, you can’t use both as we do on Cisco IOS routers.

So following this restriction I had to configure it as follows:


interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip access-list extended 100
permit ip 192.168.10.0 0.0.0.255 any
!
ip nat pool LAN_NAT_POOL 10.0.143.3 10.0.143.5 prefix-length 28
!
ip nat inside source list 100 pool LAN_NAT_POOL overload

 And static NAT for accessing the FW, where the inside IP address of the FW is 192.168.20.2:

interface GigabitEthernet0/0/2
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip nat inside source static 192.168.20.2 10.0.143.6 no-payload



Posted by at
Labels: , ,

1 comment:

  1. UnknownMarch 21, 2016 at 12:44 AM

    Hi, first of all, I don't understand why cisco changed the way NAT was configured in IOS XE, and second, why you use ip nat pool LAN_NAT_POOL 10.0.143.3 10.0.143.5?? those addresses does not even include 10.0.143.2 that is the one outside, and in the FW config, I asumed that 192.168.20.2 is the address of FW and .1 is the port address, but once again, why you use an address that is not inside your pool?? is not anywhere (10.0.143.6).. is that a trick or something???

    I'm Asking because I just bought an ISR4300, and I'm trying to make the NAT work and I'm having a very hard time to do it... can you explain your example better so I can understand what is going on??

    Thanks.

    Frank

    ReplyDelete

Subscribe to: Post Comments (Atom)