Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
0
Replies

ip nat outside source NAT to loopback interface inside of VRF

vojtech.jaros
Level 1
Level 1

‎04-25-2018 06:55 AM - edited ‎03-05-2019 10:20 AM

Hi,

I'm currently trying to make the following scenario work: Traffic comes from Tunnel1 interface configured with ip nat outside and VRF. The source IP address is NATted to Gi1 interface set with ip nat inside without VRF. Everything works when inside/outside are switched and ip nat inside source ... is used, but due to previous design choices, it has to be this way (outside on the tunnel).

How I imagine it should work: Due to the NAT order of operations, NAT should trigger first and then the routing. As IP NAT outside is implicitly "match-in-vrf", I created a new Loopback1 interface with dummy IP, inside of VRF and with ip nat inside. The source address should be IMO translated from Tunnel1 to Loopback1 and then the packet should be routed through Gi1. NAT from physical to loopback interface should be no problem.vrfconfig.png

However, the source address doesn't get translated and packets are just routed. Does anyone know why? Other proposals are also welcome, but Gi1 interface has to be configured by ip nat inside due to previous configuration and cannot be changed.

Relevant configuration (some of the routes are not necessary, they are there out of desperation :) ):

 

interface Tunnel1
 vrf forwarding vrf1
 ip unnumbered GigabitEthernet1
 ip nat outside
 tunnel source GigabitEthernet1
 tunnel mode ipip
 tunnel destination x.x.x.x
 crypto map cmap1
!
interface GigabitEthernet1
 ip address 169.254.0.102 255.255.255.0
 ip nat inside
 negotiation auto
!
interface Loopback1
 vrf forwarding vrf1
 ip address 2.2.2.5 255.255.255.252
 ip nat inside
!
ip nat outside source static network 192.168.0.0 10.0.0.0 /16 vrf vrf1
!
ip route 10.0.0.0 255.255.0.0 Tunne1
ip route 192.168.0.0 255.255.0.0 Tunnel1
ip route vrf vrf1 1.1.1.1 255.255.255.255 169.254.0.101 global
ip route vrf vrf1 10.0.0.0 255.255.0.0 Tunnel1
ip route vrf vrf1 169.254.0.103 255.255.255.255 Tunnel1
ip route vrf vrf1 192.168.0.0 255.255.0.0 Tunnel1

Some debug info after ping from 192.168.0.1 to 1.1.1.1.
NAT translations (nothing...):

 

 

R2#sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   10.0.0.0              192.168.0.0
Total number of translations: 1

Packets leaving Gi1 (source should be NATted, but it isn't):

R2#show monitor capture CAP buf bri
 ----------------------------------------------------------------------------
 #   size   timestamp     source             destination      dscp    protocol
 ----------------------------------------------------------------------------
   0  114    0.000000   192.168.0.1      ->  1.1.1.1          0  BE   ICMP
   1  114    2.007995   192.168.0.1      ->  1.1.1.1          0  BE   ICMP
   2  114    4.012999   192.168.0.1      ->  1.1.1.1          0  BE   ICMP
   3  114    6.014998   192.168.0.1      ->  1.1.1.1          0  BE   ICMP
   4  114    8.031996   192.168.0.1      ->  1.1.1.1          0  BE   ICMP

IOS used: IOS XE 16.03.04. If you believe IOS XE is the problem, I can probably get my hands on real HW, but I hope this is not the case.

 

Any ideas?

 

EDIT: NAT has to ve VRF-aware to not interfere with other NAT, that is the point why the VRF is configured in the first place :)

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card