Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
5
Helpful
1
Replies

Inter-VRF NAT

Cory Anderson
Level 1
Level 1

‎07-22-2021 12:48 PM - edited ‎07-22-2021 01:26 PM

I have a hub and spoke, internal network. Each spoke has an endpoint device with fixed IP settings that can't be configured. The Hub is a Cisco Cat 9500.  The spokes use a proprietary encryption device as a router and doesn't support NAT.

 

IP Address: 192.168.0.2 /24

Gateway: 192.168.0.1

 

There are multiple spokes, and the endpoints need to be reachable by a configurable server connected to the 9500.  For proof of concept, I'm looking for a NAT solution where the server, which is in the global vrf, can have a host file with multiple unique entries for each spoke, and the 9500 can do inter-vrf NAT. There could be up to 10 spokes with the endpoints using the same IP addresses.

 

Trying something in an emulator, I got this:

 

interface FastEthernet0/0.100
encapsulation dot1Q 100
vrf forwarding 100
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!

interface FastEthernet0/0.101
encapsulation dot1Q 101
vrf forwarding 101
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

!

interface FastEthernet0/0.102
encapsulation dot1Q 102
vrf forwarding 102
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source static 192.168.0.2 192.168.1.3 vrf 100 extendable match-in-vrf
ip nat inside source static 192.168.0.2 192.168.1.4 vrf 101 extendable match-in-vrf
ip nat inside source static 192.168.0.2 192.168.1.5 vrf 102 extendable match-in-vrf

Labels:
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎07-23-2021 01:10 AM

Hello
Your configuration doesnt look correct, the inside hosts with the same ip address i assume would be 192.168.0.2 and then you server  which is say 192.168.1.150  would reside in the global route table as such you also wouldnt require the match-in-vrf

 

Example:
ip nat inside source static 192.168.0.2 192.168.1.100 vrf 100
ip nat inside source static 192.168.0.2 192.168.1.101 vrf 101
ip nat inside source static 192.168.0.2 192.168.1.102 vrf 102
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 192.168.1.x < global next hop ip address
ip route vrf 100 0.0.0.0 0.0.0.0 FastEthernet1/0 192.168.1.x global < global next hop ip address
ip route vrf 101 0.0.0.0 0.0.0.0 FastEthernet1/0 192.168.1.x global < global next hop ip address
ip route vrf 102 0.0.0.0 0.0.0.0 FastEthernet1/0 192.168.1.x global < global next hop ip address

int fa1/0
ip nat outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card