HPE Community
Comware Based
1821583 Members
3540 Online
109633 Solutions
New Discussion

Howto nat sub interface

 
MJaat
Occasional Advisor

‎09-25-2020 12:29 AM

‎09-25-2020 12:29 AM

Howto nat sub interface

Hi,

Scenario is:

PC -> GE1.RouterA.GE1 -> GE0.RouterB

 

I have this config in RouterA:

nat address-group 2
 address 192.168.123.3 192.168.123.3

interface GigabitEthernet0/1
 port link-mode route
 ip address 192.168.160.2 255.255.255.0
 ip address 192.168.123.3 255.255.255.0 sub
 nat outbound 3050 address-group 2
 nat static enable

acl advanced 3050
 rule 30 permit ip destination 192.168.123.0 0.0.0.255
 rule 999 deny ip

ip route-static 192.168.177.0 24 GigabitEthernet0/1 192.168.123.4

 

RouterB:

nat address-group 1
 address 192.168.123.4 192.168.123.4

interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.123.4 255.255.255.0
 nat outbound 3055 address-group 1
 nat static enable

acl advanced 3055
 rule 121 permit ip destination 192.168.123.0 0.0.0.255
 rule 999 deny ip

 

When i ping 192.168.177.2 from PC(with ip 192.168.160.141), i got:

<HPE>*Sep 25 09:24:14:656 2020 HPE IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/0
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 5164, offset = 0, ttl = 127, protocol = 1
checksum = 21684, s = 192.168.160.141, d = 192.168.177.2
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface GigabitEthernet0/0.
Payload: ICMP
  type = 8, code = 0, checksum = 0x4cf7.

 

Why does not the RouterA NAT the packet to 192.168.123.3?

 

I expect:

<HPE>*Sep 25 09:24:14:656 2020 HPE IPFW/7/IPFW_PACKET:
Receiving, interface = GigabitEthernet0/0
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 5164, offset = 0, ttl = 127, protocol = 1
checksum = 21684, s = 192.168.123.3, d = 192.168.177.2
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface GigabitEthernet0/0.
Payload: ICMP
  type = 8, code = 0, checksum = 0x4cf7.

 

 

Thakn you for your time.

 

0 Kudos
3 REPLIES 3
Ivan_B
HPE Pro

‎09-25-2020 08:22 AM

‎09-25-2020 08:22 AM

Re: Howto nat sub interface

Hi @MJaat !

I am sorry, but I have to disappoint you - there are no sub-interfaces in your configuration. What you have is called secondary IP address. That one with 'sub'. This NAT configuration is not going to work, because incoming and outgoing interfaces can't be the same interface, like in your configuration. You need real sub-interfaces, those with dots, like Gig0/1.1 etc. 

PC -> GE0/1.10 RouterA GE0/1.20 -> GE0.RouterB

But keep in mind that since the traffic arrives from PC and from RouterB on the same physical GE0/1, the differentiation criterion will be VLAN tag. You need to use different VLAN tags for PC and Router B traffic and packets should be tagged on those neighboring devices - PC and Router B, e.g. Router A should receive packets with tags.

I am afraid you need to dig into sub-interfaces a little bit deeper to get comfortable with that logic.

 

I am an HPE employee

Accept or Kudo

MJaat
Occasional Advisor

‎09-30-2020 01:58 AM

‎09-30-2020 01:58 AM

Re: Howto nat sub interface

Hi,

 

Thanks for your reply.

Thou i thought that the ACL(example 3050) will determine what packets will be natted to address groups example 2.

0 Kudos
Ivan_B
HPE Pro

‎09-30-2020 09:03 PM

‎09-30-2020 09:03 PM

Re: Howto nat sub interface

No, unfortunately it doesn't work like this. You really need a separate L3 interfaces/sub-interfaces for incoming and outgoing traffic, otherwise NAT will not work properly.

 

I am an HPE employee

Accept or Kudo

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.