cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1485
Views
1
Helpful
8
Replies

Multiple Global to VRF NAT

Bebbo86
Level 1
Level 1

Hello,

we have a Cisco C921-4P with IOS 15.8(3)M6. We have four clients, which we want to connect, unfortunately these clients cannot route to different networks and have a static IP 169.254.1.100. The idea is to configure VRFs on the router with IPs in this network and NAT rules to access the IPs from outside. Plus the possibility to go from inside to outside addresses.

Problem is, that it is not possible to access the inside target (192.168.0.100 > 169.254.1.100 etc.). A tcpdump says, that on the inside the packets have the source IP 192.168.0.11 (Server). Could there be a translation problem?

Enclosed you can find a graphical overview of the case.

Here is our current config:

 

ip vrf vrf_S0
!
ip vrf vrf_S1
!
ip vrf vrf_S2
!
ip vrf vrf_S3
!
interface GigabitEthernet0
switchport access vlan 900
no ip address
!
interface GigabitEthernet1
switchport access vlan 901
no ip address
!
interface GigabitEthernet2
switchport access vlan 902
no ip address
!
interface GigabitEthernet3
switchport access vlan 903
no ip address
!        
interface GigabitEthernet4
ip vrf receive vrf_S0
ip vrf receive vrf_S1
ip vrf receive vrf_S2
ip vrf receive vrf_S3
ip address 192.168.0.9 255.255.255.0
ip nat outside
ip nat enable
ip virtual-reassembly in
ip policy route-map LEAK
duplex auto
speed auto
!
interface Vlan900
ip vrf forwarding vrf_S0
ip address 169.254.1.20 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Vlan901
ip vrf forwarding vrf_S1
ip address 169.254.1.21 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Vlan902
ip vrf forwarding vrf_S2
ip address 169.254.1.22 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Vlan903
ip vrf forwarding vrf_S3
ip address 169.254.1.23 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
!
! NAT into different VRFs
ip nat inside source static 169.254.1.100 192.168.0.100 vrf vrf_S0
ip nat inside source static 169.254.1.100 192.168.0.101 vrf vrf_S1
ip nat inside source static 169.254.1.100 192.168.0.102 vrf vrf_S2
ip nat inside source static 169.254.1.100 192.168.0.103 vrf vrf_S3
ip route 192.168.0.100 255.255.255.255 Vlan900
ip route 192.168.0.101 255.255.255.255 Vlan901
ip route 192.168.0.102 255.255.255.255 Vlan902
ip route 192.168.0.103 255.255.255.255 Vlan903
!
! Route leak 192.168 into VRFs
route-map LEAK permit 10
set global
!

 

NAT translation table:

 

Router#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.0.100      169.254.1.100      ---                ---
--- 192.168.0.101      169.254.1.100      ---                ---
--- 192.168.0.102      169.254.1.100      ---                ---
--- 192.168.0.103      169.254.1.100      ---                ---

 

We would really appreciate any help of the community. Thanks in advance!

8 Replies 8

I will run lab and see how you can config the NAT vrf aware with IOS.

hostname IOU1
!
ip vrf mhm1
rd 1:100
!
ip vrf mhm2
rd 2:100
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding mhm1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding mhm2
ip address 20.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Ethernet1/1
ip vrf receive mhm1
ip vrf receive mhm2
ip address 100.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map VRF-selection
!
ip nat inside source list 10 interface Ethernet1/1 vrf mhm1 overload
ip nat inside source list 20 interface Ethernet1/1 vrf mhm1 overload
ip route vrf mhm1 0.0.0.0 0.0.0.0 Ethernet1/1 100.0.0.2 global
ip route vrf mhm2 0.0.0.0 0.0.0.0 Ethernet1/1 100.0.0.2 global
!
route-map VRF-selection permit 10
match ip address 10
set vrf mhm1
!
route-map VRF-selection permit 20
match ip address 20
set vrf mhm2
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 20 permit 20.0.0.0 0.0.0.255

 

 

 

Screenshot (289).png

above config is work.
MHM

Hello MHM,

thanks a lot for your lab and the time you spent. After analysing your code we see some differences in the config.
- We do not have a Switch between router (IOU1) and clients
- The IP address of the inside clients are the same (169.254.1.10) in the different VRFs
- There is no next hop IP in the outside network. The server to be reached has the IP 192.168.0.10

This is the config we have after your post, which unfortunately doesn't work. We guess the problem is still a translation or routing issue. The packets from outside don't arrive natted with their 169.254. IP, but with the outside NAT IP (192.168.0.9x). The inside client has no ability to configure a gateway or routing.

ip vrf vrf_S0
rd 1:100
!
ip vrf vrf_S1
rd 2:100
!
ip cef
!
interface GigabitEthernet0
switchport access vlan 900
no ip address
!
interface GigabitEthernet1
switchport access vlan 901
no ip address
!
interface GigabitEthernet4
ip vrf receive vrf_S0
ip vrf receive vrf_S1
ip address 192.168.0.9 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map VRF-selection
duplex auto
speed auto
!
interface Vlan900
ip vrf forwarding vrf_S0
ip address 169.254.1.20 255.255.255.0
ip nat inside
no ip virtual-reassembly in
!
interface Vlan901
ip vrf forwarding vrf_S1
ip address 169.254.1.21 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source static 169.254.1.10 192.168.0.90 vrf vrf_S0
ip nat inside source static 169.254.1.10 192.168.0.91 vrf vrf_S1
ip route vrf vrf_S0 0.0.0.0 0.0.0.0 GigabitEthernet4 192.168.0.90 global
ip route vrf vrf_S1 0.0.0.0 0.0.0.0 GigabitEthernet4 192.168.0.91 global
!
route-map VRF-selection permit 90
match ip address 90
set vrf vrf_S0
!
route-map VRF-selection permit 91
match ip address 91
set vrf vrf_S1
!
access-list 90 permit 169.254.1.0 0.0.0.255
access-list 91 permit 169.254.1.0 0.0.0.255
!
end

Do you have any suggestions how we can get it to fly? Is it even possible to nat from global to multiple vrf and identical inside client IPs?

Hi Freind 
but if the OUTside NAT interface receive the packet and I see you use PBR for VRF selection, how it can know that this traffic for this VRF ?
also are your router run IOS-XE ?

Shouldn't the outside interface be in the Routing and NAT tables? Ideally the packet comes from the server to the outside NAT IP (e.g. 192.168.0.90), gets routed to VRF_S0, translated to inside NAT IP 169.254.1.20 and sent to the client (169.254.1.100). The other way around the clients sends the packet back to inside NAT IP 169.254.1.20, which the router translates back to 192.168.0.90 and sends to the router. Is that even possible?

Bebbo86_0-1682053826483.png

The router uses IOS 15.8

 

ORDER of NAT/Routing OUT-to-IN

  • If IPSec then check input access list
  • decryption - for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)  <<- this will NAT to same host IP
  • policy routing <<- here both PBR you use same host IP so which path the router use ??
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • queue

this case I think can solve via NVI which can give you LOOPback so 
NATing 
host IP(VRF1) ->LO1->OUT IP 
host IP(VRF2)->LO2->OUT IP 

Hi

 Looking to your NAT table, how can any routing table handle l this?

 

Router#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.0.100      169.254.1.100      ---                ---
--- 192.168.0.101      169.254.1.100      ---                ---
--- 192.168.0.102      169.254.1.100      ---                ---
--- 192.168.0.103      169.254.1.100      ---                ---

From the routing perdpective, the packets comes or need to be sent to only one place. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I don't know how Cisco can handle this, I just hope we can find a solution. The question on my side: What is the order Cisco handles the packet? Translation before routing or routing before translation?

Review Cisco Networking for a $25 gift card