I am attempting to get Twice-NAT engaged on a Cisco 3548 swap. I’ve a VRF arrange with 2 L3 ports on it –
- Eth1/33 has ip handle 20.20.255.250/16 and is nat inside
- Eth1/34 has ip handle 10.10.1.211/24 and is nat exterior
Full config of the interfaces:
switch1# present running-config int eth1/33-34
!Command: present running-config interface Ethernet1/33-34
!Operating configuration final finished at: Fri Jan 5 18:23:25 2024
!Time: Fri Jan 5 18:41:06 2024
model 9.3(9) Bios:model 5.5.0
interface Ethernet1/33
description TO_INSIDE
no cdp allow
no switchport
pace 1000
vrf member VRF_A
ip handle 20.20.255.250/16
ip proxy-arp
ip nat inside
interface Ethernet1/34
description TO_OUTSIDE
no cdp allow
no switchport
pace 1000
vrf member VRF_A
ip handle 10.10.1.211/24
ip nat exterior
Linked on to Eth1/33 is a tool with the IP 20.20.255.253 (the “inside” machine)
Linked on to Eth1/34 is a tool with the IP 10.10.1.111 (the “exterior” machine)
For this experiment I need to confirm that I can set up a connection from the skin to the within. Since I solely have to help a single IP on both sides, I am making an attempt static twice-nat.
Listed here are the next instructions I used to try to get this working:
ip nat inside supply static 20.20.255.253 20.20.11.111 vrf VRF_A group 4
ip nat exterior supply static 10.10.1.111 20.20.11.123 vrf VRF_A group 4 add-route
And the nat translation desk now seems to be like:
Pro Inside world Inside native Exterior native Exterior world
any --- --- 20.20.11.123 10.10.1.111
any 20.20.11.111 20.20.255.253 --- ---
any 20.20.11.111 20.20.255.253 20.20.11.123 10.10.1.111
The routing for the vrf now seems to be like:
switch1# present ip route vrf VRF_A
IP Route Desk for VRF "VRF_A"
'*' denotes finest ucast next-hop
'**' denotes finest mcast next-hop
'[x/y]' denotes [preference/metric]
'%' in by way of output denotes VRF
10.10.1.0/24, ubest/mbest: 1/0, connected
*by way of 10.10.1.211, Eth1/34, [0/0], 00:17:47, direct
10.10.1.211/32, ubest/mbest: 1/0, connected
*by way of 10.10.1.211, Eth1/34, [0/0], 00:17:47, native
20.20.0.0/16, ubest/mbest: 1/0, connected
*by way of 20.20.255.250, Eth1/33, [0/0], 00:17:12, direct
20.20.11.123/32, ubest/mbest: 1/0
*by way of 10.10.1.111percentdefault, [1/0], 00:08:08, nat
20.20.255.250/32, ubest/mbest: 1/0, connected
*by way of 20.20.255.250, Eth1/33, [0/0], 00:17:12, native
I am now making an attempt to ping from the skin machine with the IP 10.10.1.111 to the worldwide IP of the within machine, 20.20.11.111. I’d count on the packet to return in on eth1/34 with supply IP 10.10.1.111 and vacation spot IP 20.20.11.111, be translated to supply IP 20.20.11.123 and vacation spot 20.20.255.253, and be despatched out Eth1/33.
With debug ip nat-packtrace and time period mon it seems to be like the interpretation is going on, however nothing in any respect is egressing from eth1/33 (utilizing tcpdump on the within machine and viewing the port counters on the swap.) The debug ip nat-packet output is beneath:
2024 Jan 5 18:20:59.371153 netstack: (ipnat_translate_before_routing): ipnat_get_ipaddr_and_port succeeded, src 10.10.1.111, sp 45438, dst 20.20.11.111, dp 0, prot1u
2024 Jan 5 18:20:59.371204 netstack: (ipnat_translate_before_routing): Received table_id vrf(VRF_A) ctx_id: 3, tbl_id: 3, input_iod(44) have to xlate
2024 Jan 5 18:20:59.371268 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr succeeded, entry: 0 20.20.11.123:0 20.20.255.253:0 0 0 0 0
2024 Jan 5 18:20:59.371289 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr succeeded, nsrc 20.20.11.123, nsp 0, ndst 20.20.255.253, ndp 0, xs: 0, id: 0, ident: 58592 tcp_aware: 0
2024 Jan 5 18:20:59.371304 netstack: (ipnat_translate_before_routing): NAT fill rt_info for NetStack to route.
2024 Jan 5 18:20:59.371343 netstack: (ipnat_translate_before_routing): rt_info nh: 0.0.0.0, iod: 43, tid: 3 local_route: FALSE attached_route: FALSE
2024 Jan 5 18:20:59.371430 netstack: (ipnat_translate_before_routing): Packet (ident:58592) efficiently translated
Curiously, if I take away the ip nat exterior supply static translation, the NATting seems to work. The vacation spot IP is translated and the packet routed to the within machine. Debug output for the working translation is beneath:
2024 Jan 5 18:23:30.782098 netstack: (ipnat_translate_before_routing): ipnat_get_ipaddr_and_port succeeded, src 10.10.1.111, sp 12545, dst 20.20.11.111, dp 0, prot1u
2024 Jan 5 18:23:30.782140 netstack: (ipnat_translate_before_routing): Received table_id vrf(VRF_A) ctx_id: 3, tbl_id: 3, input_iod(44) have to xlate
2024 Jan 5 18:23:30.782180 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr failed, entry not discovered.. Discovering half entry
2024 Jan 5 18:23:30.782223 netstack: (ipnat_translate_before_routing): It is a half_entry
2024 Jan 5 18:23:30.782243 netstack: (ipnat_translate_before_routing): ipnat_find_xlate_addr succeeded, nsrc 0.0.0.0, nsp 0, ndst 20.20.255.253, ndp 0, xs: 0, id: 0, ident: 59872 tcp_aware: 0
2024 Jan 5 18:23:30.782256 netstack: (ipnat_translate_before_routing): NAT do not fill rt_info for NetStack to route.
2024 Jan 5 18:23:30.782305 netstack: (ipnat_translate_before_routing): route exists for prefix: 20.20.255.253,iod:43
2024 Jan 5 18:23:30.782342 netstack: (ipnat_translate_before_routing): up to date new iod to PTREE
2024 Jan 5 18:23:30.782410 netstack: (ipnat_translate_before_routing): Packet (ident:59872) efficiently translated
Sadly which means that the supply IP of the skin machine is not translated, which we are going to want for the ultimate setup we’re working in the direction of (the within machine is not configurable so we cannot be capable to inform it path to addresses on the skin community.)
Is there any purpose the ip nat inside supply static can be working, however not when I attempt to do twice-NAT?
present model output beneath:
Software program
BIOS: model 5.5.0
NXOS: model 9.3(9)
BIOS compile time: 12/07/2021
NXOS picture file is: bootflash:///n3500-compact.9.3.9.bin