Cisco NAT failing for non-connected subnets
Aug.17, 2010, under Networks
This little problem had me scratching my head for a while, and as usual the solution is pretty simple. The scenario is that you have some kind of link from an ISP with static addresses. At some point you have outgrown your original assignment and have requested a new block, which the ISP has set up at their end. You want NAT an address on the new external subnet to an internal address as shown below. Now on a PIX or ASA you just set up the NAT rules and everything works, but in IOS things are a little more subtle. First the diagram and relevant initial configs. Note that the customer router only has an external IP on the first subnet – in our case this was due to a lack of spare addresses:
NAT target
interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.0.0.2
Customer router
interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.0 ip nat inside ! interface FastEthernet0/1 ip address 172.0.0.2 255.255.255.0 ip nat outside ! ip route 0.0.0.0 0.0.0.0 172.0.0.3 ! ip nat inside source static 10.0.0.1 172.0.1.2
ISP router
interface FastEthernet0/1 ip address 172.0.1.3 255.255.255.0 secondary ip address 172.0.0.3 255.255.255.0
Looks like it should work right? Not quite. If we try and ping 172.0.1.2 from the ISP router, there is no response. We can see the NAT translation in place on the router, and with a debug arp command we can see the arp requests hitting the customer router, but it doesn’t respond.
Customer#sh ip nat trans Pro Inside global Inside local Outside local Outside global --- 172.0.1.2 10.0.0.1 --- --- Customer#debug arp ARP packet debugging is on Customer# *Mar 1 00:40:20.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1 *Mar 1 00:40:22.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1 *Mar 1 00:40:24.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1 *Mar 1 00:40:26.111: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1 *Mar 1 00:40:28.135: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1 Customer#sh ip nat trans Pro Inside global Inside local Outside local Outside global --- 172.0.1.2 10.0.0.1 --- --- Customer#
We can also look in the arp table on the ISP router and confirm that it has no entry for 172.0.1.2. If we change the NAT statement so that the external natted address is on the 172.0.0.0/24 subnet, everything works so we aren’t hitting proxy-arp issues.
Customer(config)#no ip nat inside source static 10.0.0.1 172.0.1.2 Customer(config)#ip nat inside source static 10.0.0.1 172.0.0.5
ISP#ping 172.0.0.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.0.0.5, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 40/77/92 ms ISP#
To cut a long story short, what we need to do is add the external natted address as a secondary IP on the customer router (or give it a different secondary IP on that subnet).
Customer(config)#int fa 0/1 Customer(config-if)#ip add 172.0.1.2 255.255.255.0 sec Customer(config-if)#ip add 172.0.1.2 255.255.255.0 secondary
ISP#ping 172.0.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.0.1.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/49/72 ms ISP#
Incredibly obvious when you think about it, but it took me a while to work out due to the fact that on Cisco’s firewall line it works without secondary addresses. Hopefully this will save someone else the headaches I went through.