Solved

Cisco 2821 NAT connected to a ME3600 wtih BGP

Posted on 2015-02-12
12
363 Views
Last Modified: 2015-02-14
Okay, so I have come across a situation where I had to create a public network behind a ME3600 that is running BGP connected to level 3.  Everything is working fine, the 2821 can ping the internet, pretty much everything can ping the internet.  However, from the public IP space of 10.10.0.1, (connected to 2821) when a machine tries to reach the internet, it is being blocked at the ME3600.

My assumption is, the 2821 is forwarding a 10.10.10.x address to the default route, and because the ME3600 see's a 10.10.10.x address and not the public IP, then it is dropping the packet.  What am I missing on my config?

Note that the 2821 can ping 8.8.8.8 and google.com all day long no problem, just machines behind this router can't.

interface GigabitEthernet0/0
 description WAN Uplink 4.x.x.x
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10 native
 ip address 10.10.0.1 255.255.0.0
 ip flow ingress
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.x

Open in new window

0
Comment
Question by:tomtom9898
  • 6
  • 4
  • 2
12 Comments
 
LVL 3

Expert Comment

by:Stephen Berk
ID: 40606934
What's the gateway of the 10. subnet? What's the output of "sh IP nat trans"?
0
 

Author Comment

by:tomtom9898
ID: 40606965
tcp 4.x.x.x:3389   10.10.10.10:3389   71.101.246.43:52593 71.101.246.43:5259                    3
tcp 4.x.x.x::3389   10.10.10.10:3389   ---                ---
tcp 4.x.x.x::3389   10.10.10.55:3389   ---                ---
tcp 4.x.x.x::8080   10.10.10.55:8080   ---                ---

Open in new window


Coming from the outside to the inside is fine, I can even RDP to it as you can see.

Gateway is 10.10.0.1 on the machines with a subnet of 255.255.0.0
0
 
LVL 3

Expert Comment

by:Stephen Berk
ID: 40607069
Looks like a 1-1 Nat and your 4 addresses are consumed. Look at this doc:http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html#topic5
0
 

Author Comment

by:tomtom9898
ID: 40607089
Okay, but that is static NAT allowing 3389 from outside to the inside of a few machines.  that doesn't fix the going out part?  Or am I missing something.
0
 
LVL 3

Expert Comment

by:Stephen Berk
ID: 40607176
Had to do some research. With nat, the translation happens before routing on the outside interface, but routing first then translation on the inside interface. So you're right, the ME router gets untranslated packets in this config. Change the outside and inside keywords to "enable" on the interfaces. Then remove the inside or outside keywords from the IP Nat statements.
http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
0
 

Author Comment

by:tomtom9898
ID: 40607190
That is exactly my symptoms!  Thanks for the find, now to find that command in the 2821, because as of right now, I do not have the options for ip nat enable

)#ip nat ?
  allow-static-host  Allow static-ip clients
  inside             Inside interface for address translation
  outside            Outside interface for address translation

Open in new window

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:tomtom9898
ID: 40607193
Says I need 12.3 which I have, but maybe I should try an upgrade, will have to wait till the weekend to do that one.
0
 
LVL 3

Expert Comment

by:Stephen Berk
ID: 40607223
Did you try adding static routes to match your static or dynamic Nat statements?
0
 
LVL 6

Expert Comment

by:Daniel Sheppard
ID: 40608267
Can you post your nat configuration?  You are missing a chunk of your config there and it really makes it difficult to troubleshoot.
0
 

Author Comment

by:tomtom9898
ID: 40610393
Here is the complete config, as basic as it gets

interface GigabitEthernet0/0
 description WAN Uplink 4.x.x.x
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128 secondary
 ip address 4.x.x.x 255.255.255.128
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Uplink to LAN 10.10.0.1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10 native
 ip address 10.10.0.1 255.255.0.0
 ip flow ingress
 ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 4.x.x.x
!
ip http server
ip http access-class 1
ip nat inside source static tcp 10.10.10.55 8080 4.x.x.x 8080 extendable
ip nat inside source static tcp 10.10.10.55 23560 4.x.x.x 23560 extendable
ip nat inside source static tcp 10.10.10.55 3389 4.x.x.x 3389 extendable
ip nat inside source static tcp 10.10.10.10 3389 4.x.x.x 3389 extendable
!
access-list 1 permit 10.10.0.0 0.0.255.255

Open in new window

0
 
LVL 6

Accepted Solution

by:
Daniel Sheppard earned 500 total points
ID: 40610459
So, you are missing your inside/outside nat.  Those are only port forwards.


So, a couple options.

If you have a block to do 1-to-1:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat pool nat-pool <startip> <endip>
ip nat inside source list 1 pool nat-pool

Or if you need to overload the pool(not enough for straight 1-to-1, but you have a pool:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat pool nat-pool <startip> <endip>
ip nat inside source list 1 pool ovrld overload

Or if you have to interface overload:
ip access-list extended nat-allow
 permit ip 10.10.0.1 0.0.0.255 any
ip nat inside source list 1 interface overload

Should do it...
0
 

Author Closing Comment

by:tomtom9898
ID: 40610470
Did the last option, spot on!  Knew I was missing something, thanks so much for the help!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

A few months ago I attended the Rocky Mountain IPv6 Summit which was a two-day educational event; it was the 3rd annual conference held here in Denver, Colorado that was held at the Hyatt Regency Denver at the Colorado Convention Center. It was an e…
Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now