Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
5
Helpful
4
Replies

IOS-XE static nat in VRF with WAN interface

mario.jost
Level 3
Level 3

‎10-06-2022 01:21 AM

We have multiple locations that are running IOS 15.7(3)M4a on ISR C897VA-K9 Routers. These are getting replaced by ISR1k routers running IOS-XE 17.06.03a. We have an issue with NAT forwardings. This works on the old routers:

interface Vlan11
description LAN side
ip vrf forwarding DSL
ip address 192.168.126.1 255.255.255.0
ip nat inside

interface Dialer1
description WAN side
ip vrf forwarding DSL
ip address 1.1.1.1 255.255.255.252
ip nat outside

ip nat inside source list NAT interface Dialer1 vrf DSL overload
ip nat inside source static tcp 192.168.126.4 8081 interface Dialer1 8081

But the port forwarding (last command) does not work on IOS-XE. Instead, we have to use following command:

ip nat inside source static tcp 192.168.126.4 8081 1.1.1.1 8081 vrf DSL extendable

If we use the interface in the NAT command as we did in IOS, we cant select a VRF where the translation is goint to take place. So IOS-XE takes the global VRF and IOS uses the VRF where the selected interface resides in. If i have a dynamically changing IP on the WAN side, how can i possibly keep up with the configuration? Is there a soluition to this in IOS-XE without using event manager scripts? Im looking for a configuration that does the same thing that IOS did. Create a static NAT entry with the use of an interface where both inside and outside members belong to the same VRF.

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎10-07-2022 01:45 PM

https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555

I spent two days search and read, 
NAT with VRF is seem more hard that I thought, 
anyway 
Global->VRF is regular NAT vrf-aware (add VRF after interface in IP NAT INSIDE )
VRF-VRF (same) here the tricky according to link I attach above it not support interface you need Pool config but also you need match-in-vrf <<- this command need if you NAT in same VRF 
VRF-VRF (different) here you need VASI <<- what you mention before in your previous post. 


0 Helpful

mario.jost
Level 3
Level 3
In response to MHM Cisco World

‎10-10-2022 05:56 AM

In the post you linked, they use a nat pool in order to use the vrf keyword. Remember, the vrf keyword is not available when we use an interface. But using a nat pool requires you to define it with the WAN ip address which is just no solution to the problem itself. I would then have to update the IP in the NAT pool instead of the NAT command, so no real solutoin for dynmaically changing IPs. Nevertheless, this is not a static nat but a nat overload rule, which works great on IOS-XE as you can see in my post. I only have an issue with static NAT. I appreciate the effort.

0 Helpful

mario.jost
Level 3
Level 3

‎11-30-2022 07:43 AM

I ended up creating a TAC case about this problem. They acknowledged the issue and tell me that there is not even a feature request (if you want to call it like that) in the pipeline for it. So no quick fix for now. I will update this post, once there has been news about this for anyone in the future having the same issue.

mario.jost
Level 3
Level 3

‎01-17-2023 06:56 AM

There is now a bug open for this:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe08703

We created a feature request via our account manager to get this functionality back into IOS-XE

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card