Hi...
I've got a topology like so.
[CE] -> [PE] -> [P] -> [Internet]
I've set up an Internet Gateway for the CE which is part of vrf NSTEST.
Two questions about the Internet Gateway set up on the PE.
1/ When I use a nat pool (/30), I can browse the Internet fine.
ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload
When I use a Loopback interface (so we can use a /32), browsing no longer works but I can ping anything on the Internet fine.
ip nat inside source list NSTEST-NAT-ACL interface Loopback97 vrf NSTEST overload
What's up with this???
On the P router, we have a static route for the nat pool back through the 'nat outside' interface of the PE router. Likewise when I implemented using the loopback ip as the public IP, I did this also, but can't browse the Internet.
Config looks like this:
--------------------------------------------------------
PE Config:
--------------------------------------------------------
interface GigabitEthernet0/0.1
description Router / MPLS Backbone
encapsulation dot1Q 1 native
ip address A.B.C.D X.X.X.X
ip nat inside
ip flow ingress
mpls ip
!
interface GigabitEthernet0/0.20
description VPN Internet Gateway
encapsulation dot1Q 20
ip address 172.16.76.10 255.255.255.248
ip nat outside
ip flow ingress
ip flow egress
!
ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.20 172.16.76.9 global
ip route 210.15.226.136 255.255.255.252 Null0
!
ip nat pool NSTEST-NAT-POOL 210.15.226.137 210.15.226.137 netmask 255.255.255.252
ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload
!
ip access-list standard NSTEST-NAT-ACL
permit 192.168.0.0 0.0.255.255
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination X.X.X.X 5000
ip flow-export destination X.X.X.X 5000
--------------------------------------------------------
P Config:
--------------------------------------------------------
interface Vlan1
description Router / MPLS Backbone
bandwidth 10000000
ip address A.B.C.D X.X.X.X
no ip redirects
no ip mroute-cache
load-interval 30
tag-switching ip
!
interface Vlan20
description VPN Internet Gateway
ip address 172.16.76.9 255.255.255.248
no ip redirects
load-interval 30
!
ip route 210.15.226.136 255.255.255.252 Vlan20 172.16.76.10
When I remove the nat pool and use the loopback ip for nat, I can ping IP's on the internet, but can't access any services like HTTP, etc...
Added loopback and NAT rule and removed NAT rule relating to the nat pool on PE:
interface Loopback97
ip address 210.15.231.33 255.255.255.255
!
ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload
Added static route on P to route loopback ip over 'nat outside' interface on PE:
ip route 210.15.231.33 255.255.255.255 Vlan20 172.16.76.10
Why am I able to browse when I use a NAT-POOL but not when I want to use a single /32?
2/ The second issue relates to the collection of flows.
When I do a "sh ip cache flow", I can see flows in one direction only and with the public NAT IP as the source IP. For billing purposes we need to see the public NAT IP in the destination fields so we can count their download usage.
#sh ip cache flow | inc 210.15.226.137
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/0.1 210.15.226.137 Gi0/0.20* 203.10.110.102 01 0000 0800 549
I have both "ip flow ingress" and "ip flow egress" on the nat outside interface on the PE (Gi0/0.20) so not sure why I'm not seeing bidirectional flows. I'm thinking that a NAT lookup/translation is performed first on the return traffic through the PE (Gi0/020) before flows are process/captured - hence why I don't see any flows going to the public NAT IP. Is this correct?
Any ideas how to capture flows for these public IP's in the NAT POOL? Do I need to capture flows at the P router on Vlan 20 before it gets translated back to it's private IP??
Thanks.
Andy
