Solved: Re: NAT between VRF

snarayanaraju · ‎12-19-2019

Hello - I am using IOS Router. How to configure NAT to address overlapping IP subnet in different VRF. Diagram attached for reference

- Configured Inter VRF Route Leaking

- I need your help with NAT statements. What is the mistake in the below configuration approach

int fa0/0

ip nat enable

int fa 1/0

ip nat outside

ip nat source static 10.1.1.0 69.32.1.0 vrf B
ip nat source static 10.1.1.0 218.248.100.0 vrf A

Regards,Sairam

paul driver · ‎12-24-2019

Hello

@snarayanaraju wrote:

Thank you very much for your time sharing valuable details.

I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.

I had to lab this one up and it does seems to work dynamically (even without a vrf but shown for completeness), The connections will be stateless with no initiation from the outside nat domain applicable unless initiation is first performed from the inside nat domain.

Example:
ip vrf A

ip route vrf A 10.1.1.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.6.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.8.0 255.255.255.0 192.168.1.6

ip nat pool A 172.16.6.1 172.16.6.254 prefix-length 24 type match-host
ip nat pool B 172.16.8.1 172.16.8.254 prefix-length 24 type match-host
ip nat inside source list 1 pool A vrf A match-in-vrf
ip nat outside source list 2 pool B vrf A add-route

access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255

interface x/x
ip vrf forwarding A
ip address 192.168.1.1 255.255.255.252
ip nat inside

interface x/x
ip vrf forwarding A
ip address 192.168.1.5 255.255.255.252
ip nat outside

Host (inside) 10.1.1.4 <nat 172.16.6.4 <Host outside> 172.16.8.5 nat 10.1.1.5

sh ip nat translations vrf A
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.16.8.5 10.1.1.5
icmp 172.16.6.4:21 10.1.1.4:21 172.16.8.5:21 10.1.1.5:21
icmp 172.16.6.4:28 10.1.1.4:28 172.16.8.5:28 10.1.1.5:28
--- 172.16.6.4 10.1.1.4 --- ---

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-19-2019

Hello

Is this a production setup or is it for lab testing, also the interfaces between RTR A-B and the NAT rtr are these in their own subnet with the overlapping subnet residing on the lan facing interfaces or each spoke rtr?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

snarayanaraju · ‎12-19-2019

Thanks, Paul - Though this I am trying in the Lab, I am going to replicate this configuration in the Production.

The updated diagram is attached again.

The objective is Host in RTR-A needs to talk to Host RTR-B. But they are in the same subnet 10.1.1.0/24. I have to solve this problem by using NAT. How to achieve.
Note: I am able to successfully configure the NAT and InterVRF Routing if the LAN Subnet behind RTR-A and RTR-B are in different segments. I am struggling to achieve this configuration if the subnet is overlapping. Thanks

paul driver · ‎12-20-2019

Hello

@snarayanaraju wrote:

Thanks, Paul - Though this I am trying in the Lab, I am going to replicate this configuration in the Production.

The updated diagram is attached again.

The objective is Host in RTR-A needs to talk to Host RTR-B. But they are in the same subnet 10.1.1.0/24. I have to solve this problem by using NAT. How to achieve.
Note: I am able to successfully configure the NAT and InterVRF Routing if the LAN Subnet behind RTR-A and RTR-B are in different segments. I am struggling to achieve this configuration if the subnet is overlapping. Thanks

Have you considered natting on both spoke routers instead of the hub rtr using specific inside global addressing for each spoke, This should provide the connectivity between the overlapping subnets without using vrf .

Example:
RTR-NAT
ip route 172.16.10.0 255.255.255.0 interface xxx <facing rtr A
ip route 172.16.20.0 255.255.255.0 interface xxx <facing rtr B

RTR-A
access-list 1 permit 10.1.1.0 0.0.0.255
ip route 172.16.10.0 255.255.255.0 interface xxx <facing rtr NAT
ip route 0.0.0.0 0.0.0.0 interface x 192.168.1.1 <--<facing rtr NAT
ip nat pool A 172.16.10.1 172.16.10.254 prefix-length type match-host
ip nat inside source-list 1 pool A

RTR-B
access-list 1 permit 10.1.1.0 0.0.0.255
ip route 172.16.20.0 255.255.255.0 interface xxx <facing rtr NAT
ip route 0.0.0.0 0.0.0.0 interface x 192.168.1.5 <--<facing rtr NAT
ip nat pool B 172.16.20.1 172.16.20.254 prefix-length type match-host
ip nat inside source-list 1 pool B

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

snarayanaraju · ‎12-22-2019

Thank you very much for your time sharing valuable details.

I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.

Giuseppe Larosa · ‎12-23-2019

Hello @snarayanaraju , @paul driver ,

look for this book Cisco Press MPLS L3 VPN volume II

http://www.ciscopress.com/store/mpls-and-vpn-architectures-volume-ii-9781587051128

it explains how to perform on hub NAT on HUB PE

Hope to help

Giuseppe

paul driver · ‎12-24-2019

Hello

@snarayanaraju wrote:

Thank you very much for your time sharing valuable details.

I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.

I had to lab this one up and it does seems to work dynamically (even without a vrf but shown for completeness), The connections will be stateless with no initiation from the outside nat domain applicable unless initiation is first performed from the inside nat domain.

Example:
ip vrf A

ip route vrf A 10.1.1.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.6.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.8.0 255.255.255.0 192.168.1.6

ip nat pool A 172.16.6.1 172.16.6.254 prefix-length 24 type match-host
ip nat pool B 172.16.8.1 172.16.8.254 prefix-length 24 type match-host
ip nat inside source list 1 pool A vrf A match-in-vrf
ip nat outside source list 2 pool B vrf A add-route

access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255

interface x/x
ip vrf forwarding A
ip address 192.168.1.1 255.255.255.252
ip nat inside

interface x/x
ip vrf forwarding A
ip address 192.168.1.5 255.255.255.252
ip nat outside

Host (inside) 10.1.1.4 <nat 172.16.6.4 <Host outside> 172.16.8.5 nat 10.1.1.5

sh ip nat translations vrf A
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.16.8.5 10.1.1.5
icmp 172.16.6.4:21 10.1.1.4:21 172.16.8.5:21 10.1.1.5:21
icmp 172.16.6.4:28 10.1.1.4:28 172.16.8.5:28 10.1.1.5:28
--- 172.16.6.4 10.1.1.4 --- ---

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul