Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2345
Views
0
Helpful
15
Replies

Adding PAT within a VRF kills vty SSH/Telnet

Drew T.
Level 1
Level 1

‎04-09-2018 03:53 PM - edited ‎03-05-2019 10:14 AM

I'm managing several devices that are using VRF lite. All works fine for VTY access, until I add a PAT statement within the VRF. Sanitised config as follows:

 

router-aart#sh run
Building configuration...


version 15.2
service nagle
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router-aart
!
boot-start-marker
boot-end-marker
!
!
vrf definition InVRF
 rd 192.168.0.0:666
 !
 address-family ipv4
 exit-address-family
!
!
logging buffered 51200
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local
aaa authentication ppp default if-needed
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
clock timezone 6 0
!
ip cef
!
!
!
ip dhcp pool site-InVRF
 vrf InVRF
 network 192.168.0.0 255.255.255.0
 dns-server 196.168.1.1 8.8.8.8 
 default-router 192.168.0.254 
 lease 7
!
!
!
ip domain name InVRF.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
hw-module pvdm 0/0
!
!
!
!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
! 
!
crypto isakmp policy 1
!
crypto isakmp policy 2
!
crypto isakmp policy 10
crypto isakmp key x address y
crypto isakmp key a address b 
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set blah <removed> 
 mode tunnel
!
!
!
crypto map crypto-vpn 10 ipsec-isakmp 
 description VPN to blah
 set peer w.x.y.z
 set transform-set blah 
 match address xxx
crypto map crypto-vpn 20 ipsec-isakmp 
 description VPN to feh
 set peer a.b.c.d
 set transform-set blah
 match address yyy
!
!
!
!
!
interface GigabitEthernet0/0
 description LAN
 no ip address
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description InVRF LAN
 encapsulation dot1Q 10
 vrf forwarding InVRF
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 ip accounting output-packets
 ip nat inside
 no ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
 description Local
 encapsulation dot1Q 20
 ip address 192.168.2.254 255.255.254.0
 no ip redirects
 no ip proxy-arp
 ip accounting output-packets
 ip nat inside
 no ip virtual-reassembly in
!

!
interface GigabitEthernet0/1
desc link for InVRF
 vrf forwarding InVRF
 ip address 1.2.3.1 255.255.255.252
 ip nat outside
 no ip virtual-reassembly in
 ip tcp adjust-mss 1452
 load-interval 30
 duplex auto
 speed auto
 crypto map crypto-vpn
!
!
interface GigabitEthernet0/0/0
 description Other Link
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list local-net interface GigabitEthernet0/0/0 overload
ip nat inside source list InVRF-NAT interface GigabitEthernet0/1 vrf InVRF overload
ip nat inside source static tcp 192.168.0.20 554 1.2.3.1 554 vrf InVRF extendable
!
ip route 0.0.0.0 0.0.0.0 dhcp
!

ip access-list extended InVRF-NAT
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended local-net
  permit ip 192.168.2.0 0.0.0.255 any
!
access-list 110 permit ip host 4.4.4.4 any
! access-list 110 has all management hosts permitted to access this device
 !
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
banner motd ^C

^C
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 110 in vrf-also
 login authentication local
 transport input telnet ssh
line vty 5 15
 access-class 110 in vrf-also
 login authentication local
 transport input telnet ssh

Everything worked perfectly until I put in 

ip nat inside source static tcp 192.168.0.20 554 1.2.3.1 554 vrf InVRF extendable

This is not the first time i've seen it, but as i'm using VRF Lite with increasing frequency to manage devices with multiple WAN links, i'd like to fix it. This has been on all versions of 15.1 on 29xx and 39xx's. 

 

 

Any advice appreciated. 

Labels:
0 Helpful
15 Replies 15

prinkesh7
Level 1
Level 1

‎08-19-2019 06:59 AM

Did your issue resolved ? i have ASR1001 and having same issue when i enable "ip nat outside". I loose SSH/TELNET and ICMPs are dropped.
0 Helpful
Customers Also Viewed These Support Documents