cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
249
Views
0
Helpful
5
Replies
Beginner

NAT/PAT in MPLS L3VPN on ASBR /PE Router

can anyone suggest me the best method of NAT on PE ASBR router before sending the customer traffic to any CSP if CSP is advising that they only receive public IP.

 

I have a solution but some discrepancies are there. like when the customer is using any random public IP or registered public for the branch to branch communication for any reason then their branch to branch communication will be impacted. 

 

and again if the customer is advertising any default route and destination is supposed to be public address then the source will be natted which will not be expected.

 

attached diagram is self-explanatory. 

 

any good suggestion.

5 REPLIES 5
Cisco Employee

Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

Hi Ashhad,

 

I think what you need is Destination Based NAT. You haven't mentioned the router model, but I guess most should support it.

 

It is already addressed here:

https://community.cisco.com/t5/firewalls/destination-based-nat/td-p/3084550

 

Regards

Manjunath M P

Beginner

Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

 
Beginner

Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

i agree with your suggestion but the issue is we can not make is destination based NAT. 

 

The reason is we dont know the destination and even though we somehow manged to know then we would need to update the destination route after every month or 6 month since destination is not fixed we receive updated destination every time.

Cisco Employee

Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

Okay understood. Is it possible to then mark all your ingress interfaces as 'ip nat inside' and the outgoing interface towards CSP as 'ip nat outside', so only traffic going out the CSP interface will be nat'ed and your internal traffic won't be NAT'ed

 

Regards

Manjunath M P

Highlighted
Beginner

Re: NAT/PAT in MPLS L3VPN on ASBR /PE Router

Since it is done on dataplane , i cam match src ip , dest ip, port , dscp but we have restriction that we can not match dscp & port.

 

And the ingress interface is mpls so whatever the traffic is hitting nat inside filter it will nat all the traffic including the traffic destined for colocated also... 

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards