Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
0
Replies

CSR1000V IOS-XE 16.3.2+ NAT Outside issue

Menelaos Sazos
Level 1
Level 1

‎10-03-2017 01:56 AM - last edited on ‎03-25-2019 03:49 PM by Community Manager

Hello!

I'm now trying to lab Outside NAT with dynamic translation to the pool on the CSR1000V and facing an issue with a static route to Outside Local address via Outside Global address not being added to the routing table on the IOS-XE 16.3.2+ (IOS-XE 16.3.1a working ok, legacy IOS working ok with the same Outside NAT config too).

NAT config is done on the 1st CSR100V and is failrly simple:

hostname nat-csr
!
interface GigabitEthernet1
 ip address 172.16.8.1 255.255.255.0
 ip nat outside
 negotiation auto
!
interface GigabitEthernet2
 ip address 172.26.1.250 255.255.255.0
 negotiation auto
!
ip access-list extended ANY-ACL
 permit ip any any
!
ip route 172.16.7.0 255.255.255.0 172.16.8.10
ip nat pool TST-POOL 172.26.2.1 172.26.2.254 netmask 255.255.255.0
ip nat inside source static tcp 172.26.1.1 23 interface GigabitEthernet1 2323
ip nat outside source list ANY-ACL pool TST-POOL add-route

2nd CSR is used for the server:

hostname server-csr
!
username cisco privilege 15 password cisco
enable password cisco
!
interface GigabitEthernet2
 ip address 172.26.1.1 255.255.255.0
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 172.26.1.250
!
line vty 0 4
 login local

And 3rd CSR is used for the client:

hostname client-csr
!
interface GigabitEthernet1
 ip address 172.26.8.10 255.255.255.0
 negotiation auto
!
interface Loopback1
 ip address 172.26.7.1 255.255.255.0
!
interface Loopback2
 ip address 172.26.7.2 255.255.255.0

Ideally (on IOS-XE 16.3.1a) when client-csr is doing `telnet 172.16.8.1 2323 /source Loopback1` the server-csr answers with the telnet and sees the incoming connection from 172.26.2.1 (1st address in the pool). On the IOS-XE 16.3.2+ the connection doesn't succeed because the nat-csr doesn't install a route to the Outside Local address via Outside Global address of the client-csr, which is required for the return traffic to the client-csr from the server-csr. This route should look like:
 172.26.2.1/32 [1/0] via 172.26.7.1
 172.26.2.2/32 [1/0] via 172.26.7.2
 etc.
Interestingly, sometimes IOS-XE 16.6.1 does install the required static route, but this not suitable for the production dpeloyment.

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card