Posted on April 22, 2019 4:54 pm
 |  Asked by Cindy Moore
 |  131 views
Tags:
0
0
Print Friendly, PDF & Email

Hello, all.

I have inherited a NAT gateway that is implemented on an ubuntu server (through a combination of iptables & multiple interfaces on an ethernet port) and I’d like to move that off to our arista switch. I’ve always done NAT with a server and I’m not sure how to configure a router instead. I’m having some trouble understanding how to set up the PAT from the EOS manual, chapter 27.8.2

Let me start by describing my present set up, and then my understanding (or lack thereof) of how to do this with my arista switch.

—————————
I have one network, with two public and two private address spaces on it. Let’s call the two public address spaces PUB1 (1.1.1.0/24) and PUB2 (2.2.2.0/24) and the two private address spaces PR1 (3.3.3.0/24) and PR2 (4.4.4.0/24).

The NAT gateway (PUB1.3) is an ubuntu server that translates all addresses in the PR1 and PR2 space to a single outgoing address PUB1.250. The gateways for PR1 and PR2 are PR1.250 and PR2.250 which route to PUB1.250. The NAT gateway sets all these *250 as multiple interfaces on its own interface so that these packets arrive here and get NAT’ed out.

Servers with private ip addresses have outbound connection only and to connect to them from the outside, it’s necessary to proxy through our NAT gateway.

Our primary uplink/connection to outside world is through a router at PUB1.1 (which I do *not* have access to). I have two network switches each connected to the building router (I am in the process of phasing the non-arista switch out) with addresses in the PR1 space and all of our servers are connected to one or the other switch and may have addresses in PUB1, PUB2, PR1, or PR2.

It appears that having multiple ip subnets on a single physical network is a little unusual but that’s what we have. All are on a single vlan, let’s call it vlan4. I’ve attached a rough topology of this below.

I have an Arista 7150S running EOS 4.13 which I would like to configure to do the NAT. Since this is a live switch with a couple hundred servers depending on it, I’m being conservative about setting things up and am trying to work it all out first. Reading through the EOS manual, it seems to me that I have a Dynamic NAT, Many to One (PAT) situation: PR1+PR2–>PUB1.250.
—————————

So to configure, it seems first I need to set up the Many list:
enable
conf t
ip access-list ACLmany
permit ip PR1.0/24 any
permit ip PR2.0/24 any

then I set up the Single pool
ip nat pool psingle PUB1.250 PUB1.250

Then I setup the gateways that PR1, PR2 have (still in conf t context)
interface vlan 4
ip address PUB1.250/24
ip address PR1.250/24
ip address PR2.250/24

And then tie it all up together with
ip nat source dynamic access-list ACLmany pool psingle

ip show ip nat pool

I also assume I would need to add routes

ip route 0.0.0.0/0 PUB1.1 (uplink addr)
ip route 0.0.0.0/0 PR1.250
ip route 0.0.0.0/0 PR2.250
ip route PUB1.0/24 Vlan4
ip route PUB2.0/24 Vlan4
ip route PR1.0/24 Vlan4
ip route PR2.0/24 Vlan4

Any tips, corrections, suggestions or questions welcomed! (I don’t know how/why I always wind up asking these questions on a friday afternoon, but…)

Attachments:

Post your Answer

You must be logged in to post an answer.