Good Is Bad

I ran into this problem some time back, trying to perform NAT/PAT from inside hosts, to an interface secondary address on an ASR1000.
While looking for something else this evening, I randomly happened across this solution, and immediately felt stupid.

  • Firstly, because it's so simple a fix
  • Secondly, because TAC told me to take a hike, as it was an unsupported config. This was after five weeks of back and forth and debugs.
  • Thirdly, because I've done this before... kindof.

It should have occurred to me that it was this same config when I had a /29 sitting on an ASR's loopback, being advertised upstream from within an NSSA. In that case, my NAT was exactly that - to pools with no secondary addresses. However, strictly speaking, there was no primary address either in that scenario. Situations required that config change, which moved the /29 from the loopback, to the outside interface as a primary, and secondary addresses.

Pseudo-config of what was for those still playing along.

router ospf 1
  area 99 nssa
  network area 99
  passive-interface default
  no passive-interface gi0/0/0
interface gigabitEthernet0/0/0
  ip address
  ip ospf 1 area 99
  ip nat outside
interface gigabitEthernet0/0/1
  ip address
  ip nat inside
interface loopback 255
  description Public allocation from Initech
  ip address
  ip ospf 1 area 99
ip access-list extended 100
  remark deny host for nat to second pool
  deny ip host any
  remark permit everything else
  permit ip any
ip access-list extended 101
  permit ip host any
ip nat pool POOL-1-2-3-5 prefix 29
ip nat pool POOL-1-2-3-6 prefix 29
ip nat inside source list 101 pool POOL-1-2-3-5 overload
ip nat inside source list 100 pool POOL-1-2-3-6 overload

Any active translations built using either pool, could even be pinged from outside the network, and the ICMP replies were even sourced from the respective address.
That sh!t worked fine, as far back as 3.1.0, 15.0(1)S - which is pretty close to the first production release of IOS-XE as far as I can tell.


I wanted to buy this, but iTunes only has it in the UK. Ministry of sound doesn't list it (probably because I'm coming from a IP address outside of Europe). Amazon and Beatport don't list it.
Honestly, what's wrong with this world and it's digital media distribution? Seriously, shut up and take my money!
/sigh. Wiretap to the rescue, once more.