Re: Cisco ISR4331 IOS-XE Static NAT Overlapping Addresses

Brent2651 · ‎06-30-2023

Can someone experienced with IOS-XE overlapping NAT configurations help?

We have a situation where two devices with dual NIC's containing identical sets of IP addresses (two sets of overlapping addresses) are intended to reside on our network. The manufacturer's software is restricted, so the IP addresses cannot be changed. The two duplicated addresses are:
10.33.94.16 (x2 NIC's)
24.1.1.7 (x2 NIC's)
These devices contain no gateway IP addresses. All NIC settings are locked and cannot be altered. We cannot substitute these devices with other equipment, so we temporarily have an out-of-band work-around.

This is a closed network with no commercial access.

We are trying to figure out how to NAT the two overlapping IP devices so that they appear to other broadcast domains within our network as four separate IP addresses on the same VLAN as our other devices. It seems that associating these addresses with four VRF's assigned to a single route map is the most logical solution?

The configurations below appeared to work in a lab, but the same configurations are not working in the production environment. The lab consisted of two ISR4331 IOS-XE routers directly connected via a GRE tunnel with no end-to-end encryption hardware, and one 3560X IOS switch connected to the router receiving the NAT configuration. The production environment contains two ISR4331 IOS-XE routers separated by encryption devices (one at each end) connected through a GRE tunnel, and one Cisco 9200L network switch at each end.

In the lab, the NATted IP addresses individually respond as intended: laptops configured with the addresses noted above respond with their corresponding new IP assignments. Their original manufacturer-assigned addresses remain hidden/unreachable. None of the addresses respond when the laptops are disconnected. Strangely, Microsoft Command Prompt "tracert" returns the physical address of the next-hop router instead of the GRE tunnel address.

In the production environment, all four of the newly assigned IP addresses respond to ICMP even if the machines are disconnected. Their original manufacturer-assigned addresses remain hidden/unreachable. Microsoft Command Prompt "tracert" returns the next-hop GRE tunnel address as expected.

Aside from encryption devices being absent from the lab experiment and no 9200L's available for testing (one 3560X used instead), all other attributes remain the same.

Here is a modified version of the configuration we originally used in the lab that appeared to work but for whatever reason is not working in production (perhaps, the lab gave us false positives, or we did not fully understand what we were seeing?)

If we succeed in the production environment, we should be able to reach an internal web page to verify connectivity.

Can someone assist? Thank you!

Cisco ISR4331 ROUTER CONFIGURATION (IOS-XE Bengaluru 17.06.04.SPA.bin)

* I changed most of the addresses and the primary VLAN number for the sake of this post, but you should still be able to follow the logic.

Licenses (the lab routers have the same licenses as in the production environment):
appxk9
securityk9
ipbase

ip nat log translations syslog

interface Tunnel2
description GRE Tunnel to Remote Site
bandwidth 10000
ip address 10.10.10.10 255.255.255.252
ip nat outside
ip policy route-map VRFNAT
tunnel source 192.168.1.9
tunnel destination 192.168.1.1

* ip policy route-map VRFNAT was not used in the lab, but it does cause MS "tracert" to respond as it should

ip vrf NAT44

ip vrf NAT47

ip vrf NAT74

ip vrf NAT77

interface GigabitEthernet0/0/0
description Connection to 9200L Switch
no ip address
no negotiation auto

interface GigabitEthernet0/0/0.7
encapsulation dot1Q 500
ip address 10.1.7.193 255.255.255.240

* All NATted devices are expected to return an IP address from the .240 subnet associated with the primary subinterface.

interface GigabitEthernet0/0/0.44
encapsulation dot1Q 44
ip vrf forwarding NAT44
ip address 10.33.94.16 255.255.255.224
ip nat inside

interface GigabitEthernet0/0/0.47
encapsulation dot1Q 47
ip vrf forwarding NAT47
ip address 24.1.1.7 255.255.255.224
ip nat inside

interface GigabitEthernet0/0/0.74
encapsulation dot1Q 74
ip vrf forwarding NAT74
ip address 10.33.94.16 255.255.255.224
ip nat inside

interface GigabitEthernet0/0/0.77
encapsulation dot1Q 77
ip vrf forwarding NAT77
ip address 24.1.1.7 255.255.255.224
ip nat inside

interface GigabitEthernet0/0/1
description Encryption Device for Tunnel2 Traffic
ip address 192.168.1.9

ip nat inside source static 10.33.94.16 10.1.7.196 vrf NAT44 route-map VRFNAT global
ip nat inside source static 24.1.1.7 10.1.7.198 vrf NAT47 route-map VRFNAT global
ip nat inside source static 10.33.94.16 10.1.37.199 vrf NAT74 route-map VRFNAT global
ip nat inside source static 24.1.1.7 10.1.7.201 vrf NAT77 route-map VRFNAT global

ip route vrf NAT44 0.0.0.0 0.0.0.0 Tunnel2
ip route vrf NAT47 0.0.0.0 0.0.0.0 Tunnel2
ip route vrf NAT74 0.0.0.0 0.0.0.0 Tunnel2
ip route vrf NAT77 0.0.0.0 0.0.0.0 Tunnel2

ip access-list extended FORTY-FOUR
10 permit ip any host 10.1.7.196

ip access-list extended FORTY-SEVEN
10 permit ip any host 10.1.7.198

ip access-list extended SEVENTY-FOUR
10 permit ip any host 10.1.7.199

ip access-list extended SEVENTY-SEVEN
10 permit ip any host 10.1.7.201

ip access-list extended NAT-BYPASS
10 permit ip any any

route-map VRFNAT permit 10
match ip address FORTY-FOUR

route-map VRFNAT permit 20
match ip address FORTY-SEVEN

route-map VRFNAT permit 30
match ip address SEVENTY-FOUR

route-map VRFNAT permit 40
match ip address SEVENTY-SEVEN

route-map VRFNAT permit 50
match ip address NAT-BYPASS

RouterISR4331#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 10.1.7.201 24.1.1.7 --- ---
--- 10.1.7.198 24.1.1.7 --- ---
--- 10.1.7.196 10.33.94.16 --- ---
--- 10.1.7.199 10.33.94.16 --- ---
icmp 10.1.7.199:1 10.33.94.16:1 192.168.100.131:1 192.168.100.131:1
icmp 10.1.7.198:99 24.1.1.7:99 192.168.200.140:99 192.168.200.140:99
icmp 10.1.7.199:0 10.33.94.16:0 192.168.300.105:0 192.168.300.105:0
udp 10.1.7.199:67 10.33.94.16:67 192.168.300.97:67 192.168.300.97:67
udp 10.1.7.199:137 10.33.94.16:137 192.168.300.105:137 192.168.300.105:137
udp 10.1.7.198:50059 24.1.1.7:50059 192.168.100.105:49226 192.168.100.105:49226
icmp 10.1.7.198:0 24.1.1.7:0 192.168.100.105:0 192.168.100.105:0
icmp 10.1.7.199:99 10.33.94.16.99 192.168.200.140:99 192.168.200.140:99

RouterISR4331#show route-map VRFNAT
route-map VRFNAT, permit, sequence 10
Match clauses:
ip address (access-lists): FORTY-FOUR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map VRFNAT, permit, sequence 20
Match clauses:
ip address (access-lists): FORTY-SEVEN
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map VRFNAT, permit, sequence 30
Match clauses:
ip address (access-lists): SEVENTY-FOUR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map VRFNAT, permit, sequence 40
Match clauses:
ip address (access-lists): SEVENTY-SEVENTY
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map VRFNAT, permit, sequence 50
Match clauses:
ip address (access-lists): NAT-BYPASS
Set clauses:
Policy routing matches: 83162 packets, 130608756 bytes
^ (packets and bytes are climbing, but none of the other counters are incrementing)

Why are we getting no hits on the other map statements? Where is the break?

Cisco C9200L-24P-4G SWITCH CONFIGURATION (IOS-XE Lite 17.06.04.SPA.bin)

Licenses (similar licenses on the lab's 3560X):
network-advantage Smart License
dna-advantage Subscription Smart License

Switch9200L#show interface status
Port Name Status Vlan
Gi1/0/1 Trunk to RouterISR4331 connected trunk
Gi1/0/2 Device .195 connected 500
Gi1/0/3 Device .196 notconnect 44
Gi1/0/4 Device .197 connected 500
Gi1/0/5 Device .198 connected 47
Gi1/0/6 Device .199 connected 74
Gi1/0/7 Device .200 connected 500
Gi1/0/8 Device .201 connected 77

Interface GigabitEthernet1/0/1
description Trunk to RouterISR4331
switchport access vlan 125
switchport trunk native vlan 125
switchport trunk allowed vlan 44,47,74,77,125,500
switchport mode trunk
switchport nonegotiate

All VLAN's are present (active) in the VLAN database with corresponding switch port assignments.

paul driver · ‎07-02-2023

Hello
"A picture is worth a thousands words" and in this instace so would a topology diagram- any chance you can share one please?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Brent2651 · ‎07-05-2023

I made a typing error in my original post. Subinterface Gi0/0/0.7 is supposed to be Gi0/0/0.500. I am attaching a .jpg image of a basic network diagram illustrating our intentions. Thank you!

MHM Cisco World · ‎07-06-2023

Configure NAT to Enable Communication Between Overlapping Networks - Cisco

the trick here is config
ip nat outside
ip nat inside
this dual NATing change the IP outbound and inbound for overlapping subnet

Brent2651 · ‎07-10-2023

Thank you for your reply. Unfortunately, that didn't work. The ip nat outside options do not support route-mapping to static addresses. Instead, the ip nat outside route-map option looks for a dynamic address pool. I cannot use a dynamic pool. Overlapping IP addresses 10.33.94.16 and 10.1.1.7 (both addresses shared by two separate devices on the same network segment, hence the overlap) need to be statically translated and advertised as four separate addresses: 10.1.7.196, 10.1.7.198, 10.1.7.199, and 10.1.7.201, sharing the same address scope as other 10.1.7.x/48 devices in VLAN 500.

MHM Cisco World · ‎07-10-2023

sorry I couldnot get what you try to explain.
why route-map for ip nat outside ?

Brent2651 · ‎07-10-2023

I got confused. I have no experience with NAT. No need to route-map outside. We're just trying to translate internal addresses to advertise themselves like other addresses on our inside network. I am trying to get four separate internal/static vrf's to tie into a single route-map so that duplicated address 10.33.94.16 and duplicated address 24.1.1.7 (I mistyped it as 10.1.1.7) can be translated into four separate addresses.