• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Cisco 2821 NAT connected to a ME3600 wtih BGP

Okay, so I have come across a situation where I had to create a public network behind a ME3600 that is running BGP connected to level 3.  Everything is working fine, the 2821 can ping the internet, pretty much everything can ping the internet.  However, from the public IP space of 10.10.0.1, (connected to 2821) when a machine tries to reach the internet, it is being blocked at the ME3600.

My assumption is, the 2821 is forwarding a 10.10.10.x address to the default route, and because the ME3600 see's a 10.10.10.x address and not the public IP, then it is dropping the packet.  What am I missing on my config?

Note that the 2821 can ping 8.8.8.8 and google.com all day long no problem, just machines behind this router can't.

interface GigabitEthernet0/0
 description WAN Uplink 4.x.x.x
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10 native
 ip address 10.10.0.1 255.255.0.0
 ip flow ingress
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.x

Open in new window

0
tomtom9898
Asked:
tomtom9898
  • 6
  • 4
  • 2
1 Solution
 
Stephen BerkCommented:
What's the gateway of the 10. subnet? What's the output of "sh IP nat trans"?
0
 
tomtom9898Author Commented:
tcp 4.x.x.x:3389   10.10.10.10:3389   71.101.246.43:52593 71.101.246.43:5259                    3
tcp 4.x.x.x::3389   10.10.10.10:3389   ---                ---
tcp 4.x.x.x::3389   10.10.10.55:3389   ---                ---
tcp 4.x.x.x::8080   10.10.10.55:8080   ---                ---

Open in new window


Coming from the outside to the inside is fine, I can even RDP to it as you can see.

Gateway is 10.10.0.1 on the machines with a subnet of 255.255.0.0
0
 
Stephen BerkCommented:
Looks like a 1-1 Nat and your 4 addresses are consumed. Look at this doc:http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html#topic5
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
tomtom9898Author Commented:
Okay, but that is static NAT allowing 3389 from outside to the inside of a few machines.  that doesn't fix the going out part?  Or am I missing something.
0
 
Stephen BerkCommented:
Had to do some research. With nat, the translation happens before routing on the outside interface, but routing first then translation on the inside interface. So you're right, the ME router gets untranslated packets in this config. Change the outside and inside keywords to "enable" on the interfaces. Then remove the inside or outside keywords from the IP Nat statements.
http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
0
 
tomtom9898Author Commented:
That is exactly my symptoms!  Thanks for the find, now to find that command in the 2821, because as of right now, I do not have the options for ip nat enable

)#ip nat ?
  allow-static-host  Allow static-ip clients
  inside             Inside interface for address translation
  outside            Outside interface for address translation

Open in new window

0
 
tomtom9898Author Commented:
Says I need 12.3 which I have, but maybe I should try an upgrade, will have to wait till the weekend to do that one.
0
 
Stephen BerkCommented:
Did you try adding static routes to match your static or dynamic Nat statements?
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Can you post your nat configuration?  You are missing a chunk of your config there and it really makes it difficult to troubleshoot.
0
 
tomtom9898Author Commented:
Here is the complete config, as basic as it gets

interface GigabitEthernet0/0
 description WAN Uplink 4.x.x.x
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Uplink to LAN 10.10.0.1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10 native
 ip address 10.10.0.1 255.255.0.0
 ip flow ingress
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.x
!
ip http server
ip http access-class 1
ip nat inside source static tcp 10.10.10.55 8080 4.x.x.x 8080 extendable
ip nat inside source static tcp 10.10.10.55 23560 4.x.x.x 23560 extendable
ip nat inside source static tcp 10.10.10.55 3389 4.x.x.x 3389 extendable
ip nat inside source static tcp 10.10.10.10 3389 4.x.x.x 3389 extendable
!
access-list 1 permit 10.10.0.0 0.0.255.255

Open in new window

0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
So, you are missing your inside/outside nat.  Those are only port forwards.


So, a couple options.

If you have a block to do 1-to-1:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat pool nat-pool <startip> <endip>
ip nat inside source list 1 pool nat-pool

Or if you need to overload the pool(not enough for straight 1-to-1, but you have a pool:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat pool nat-pool <startip> <endip>
ip nat inside source list 1 pool ovrld overload

Or if you have to interface overload:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat inside source list 1 interface overload

Should do it...
0
 
tomtom9898Author Commented:
Did the last option, spot on!  Knew I was missing something, thanks so much for the help!
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now