Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
6039
Views
0
Helpful
6
Replies
james-worley
Beginner
Beginner
‎02-16-2012 02:02 AM
‎02-16-2012 02:02 AM

Global to VRF NAT Problems

Hi

I am using a 1841 running IOS 'c1841-adventerprisek9-mz.151-3.T1.bin'. I have two ethernet interfaces. One the WAN and the other the LAN. We use an Internet VRF to connect the WAN. Does anyone have any experiance with running NAT from a global interface to a VRF interface?

My config is as follows:

interface FastEthernet0/0

description *** Untrusted Public Network ***

ip vrf forwarding INTERNET

ip address 10.1.2.40 255.255.255.0

ip access-group WAN-IN in

ip access-group WAN-OUT out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

no cdp enable

end

The LAN interface connects to the Global routing instance:

interface FastEthernet0/1

ip address 192.168.35.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim query-interval 10

ip pim sparse-dense-mode

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

ip ospf cost 500

ip ospf 60 area 5

duplex auto

speed auto

end

Routing on each instance looks good:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 10.1.2.1 permanent name Global_NAT_default_route

ip route vrf INTERNET 0.0.0.0 0.0.0.0 10.1.2.1 permanent name Public_default_route

The problem is when I try to browse the internet and resolve DNS queries. My NAT config looks like this:

ip nat inside source list LAN-NAT interface FastEthernet0/0 overload

!

Extended IP access list LAN-NAT

    10 deny ip any 192.168.0.0 0.0.255.255

    20 deny ip any 172.0.0.0 0.31.255.255

    30 deny ip any 10.0.0.0 0.255.255.255

    40 permit ip 192.168.35.0 0.0.0.255 any (162 matches)

I see nat translatiosn happening:

Pro Inside global         Inside local          Outside local         Outside global

udp 10.1.2.40:35992       192.168.35.21:35992   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:40818       192.168.35.21:40818   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:50020       192.168.35.21:50020   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:50216       192.168.35.21:50216   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:53440       192.168.35.21:53440   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:54970       192.168.35.21:54970   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:57031       192.168.35.21:57031   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:54737       192.168.35.23:54737   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:54737       192.168.35.23:54737   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:54737       192.168.35.23:54737   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:63199       192.168.35.23:63199   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:63199       192.168.35.23:63199   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:63199       192.168.35.23:63199   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:63658       192.168.35.23:63658   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:63658       192.168.35.23:63658   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:63658       192.168.35.23:63658   212.142.28.68:53      212.142.28.68:53

udp 10.1.2.40:64366       192.168.35.23:64366   62.179.104.196:53     62.179.104.196:53

udp 10.1.2.40:64366       192.168.35.23:64366   212.83.68.131:53      212.83.68.131:53

udp 10.1.2.40:64366       192.168.35.23:64366   212.142.28.68:53      212.142.28.68:53

tcp 10.1.2.40:64577       192.168.35.23:64577   17.149.36.107:443     17.149.36.107:443

However my ACL see some funny looking traffic:

553814: *Feb 16 2012 11:14:23.974 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 62.179.104.196(53) -> 192.168.35.16(63590), 1 packet 

553815: *Feb 16 2012 11:14:28.258 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 62.179.104.196(53) -> 192.168.35.23(53699), 1 packet 

553816: *Feb 16 2012 11:14:37.089 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 62.179.104.196(53) -> 192.168.35.21(45487), 1 packet 

For some reason the destination IP is showing as the source and the source inside address as the destination. If I remove NAT I see:

553775: *Feb 16 2012 11:07:29.182 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 192.168.35.200(3440) -> 212.142.28.68(53), 1 packet 

553776: *Feb 16 2012 11:07:32.182 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 192.168.35.200(3441) -> 62.179.104.196(53), 1 packet 

553777: *Feb 16 2012 11:07:49.700 CET: %SEC-6-IPACCESSLOGP: list WAN-OUT denied udp 192.168.35.21(41043) -> 62.179.104.196(53), 1 packet

Which is inline with what I would expect. I have had a play with the NVI feature but did not find a working config.

Labels:
0 Helpful
6 REPLIES 6
Eugene Khabarov
Rising star
Rising star
‎02-16-2012 02:21 AM
‎02-16-2012 02:21 AM

Hi! I think there is the problem only with WAN-OUT ACL. You should permit praffic from addresses in the NAT pool maybe?

Moreover you need to allow established connections in your WAN-IN acl.

In other way you need to inplement statefull firewall, f.e. ZBFW.

HTH. Please rate if it was helpful.

0 Helpful