XGS2100 RED Full NAT

Question

Hello,
our customer has an XGS 2100 HA installation with currently two REDs. So far it's going very well. Now our customer has taken over three additional locations and would now like to connect these to the internal network with the XGS RED environment.

The problem, however, is that the respective IPv4 networks that exist at the three locations are already present in the internal network. A renumbering of the external networks (of the three locations) is not yet planned and the central servers are located in the internal networks.

I therefore set up a test lab and tried to create the configuration for this.

If different networks are used inside and outside, the configuration also works wonderfully with Full NAT. A ping from inside to outside works with a 1:1 address translation. When pinging from outside to inside, the 1:1 address translation doesn't work, but the ping comes via a randomly selected IP address and works.

Afterwards, as a further test, I set up a VM in an internal server network. I have enhanced the corresponding networkk in the NAT rule. Ping from the new server network inside to outside doesn't work.

I connect to the XGS and make some trouble shooting and I see, that on the reds1 Interface the first three icmp request goint well, but the it stopped.

SFVUNL_KV01_SFOS 19.5.3 MR-3-Build652# tcpdump -n -i reds1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on reds1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:44:17.018204 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP echo request, id 30, seq 1, length 64
14:44:17.086702 reds1, IN: IP 192.168.2.21 > 192.168.2.23: ICMP echo reply, id 30, seq 1, length 64
14:44:18.048642 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP echo request, id 30, seq 2, length 64
14:44:18.130251 reds1, IN: IP 192.168.2.21 > 192.168.2.23: ICMP echo reply, id 30, seq 2, length 64
14:44:19.072624 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP echo request, id 30, seq 3, length 64
14:44:19.141056 reds1, IN: IP 192.168.2.21 > 192.168.2.23: ICMP echo reply, id 30, seq 3, length 64
14:44:20.096498 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP echo request, id 30, seq 4, length 64
14:44:20.158114 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP host 192.168.2.23 unreachable, length 92
14:44:20.158326 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP host 192.168.2.23 unreachable, length 92
14:44:20.158355 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP host 192.168.2.23 unreachable, length 92
14:44:20.174173 reds1, IN: IP 192.168.2.21 > 192.168.2.23: ICMP echo reply, id 30, seq 4, length 64
14:44:21.120387 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP echo request, id 30, seq 5, length 64
14:44:21.180679 reds1, IN: IP 192.168.2.21 > 192.168.2.23: ICMP echo reply, id 30, seq 5, length 64
14:44:23.230009 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP host 192.168.2.23 unreachable, length 92
14:44:23.230163 reds1, OUT: IP 192.168.2.23 > 192.168.2.21: ICMP host 192.168.2.23 unreachable, length 92

I do not understand why does the first three icmp requests got in icmp reply, but after that comes an icmp unreachable.

Please, can you give me an advice at this problem.

Many thanks and regards
Rolf

This thread was automatically locked due to age.

LuCar Toni · Answer

SFOS support DNAT 1:1 NAT, not 1:1 NAT for SNAT. Which means: If you ping from A to B, SFOS can translate the B to C, but the Source will be MASQ with a random IP (in terms of SNAT). You could also use SNAT MASQ (Interface IP). 
 Essentially you need two NATs: From A to B with 1:1 and from B to A with 1:1. 
 To be more specific: What SFOS does in a NAT Rule is a 1:1 DNAT only and doing the MASQ if needed. It does not create a FULL NAT 1:1 as a recursive rule. You need the other way around as well. 
 The missing Source NAT SNAT is not important for a working connection - Only for reporting or such things, it could be important. But the connection works fine with an MASQ.

XGS2100 RED Full NAT

Top Replies