12-19-2019 06:41 AM
Hello - I am using IOS Router. How to configure NAT to address overlapping IP subnet in different VRF. Diagram attached for reference
- Configured Inter VRF Route Leaking
- I need your help with NAT statements. What is the mistake in the below configuration approach
int fa0/0
ip nat enable
int fa 1/0
ip nat outside
ip nat source static 10.1.1.0 69.32.1.0 vrf B
ip nat source static 10.1.1.0 218.248.100.0 vrf A
Regards,Sairam
Solved! Go to Solution.
12-24-2019 07:48 AM - edited 12-24-2019 02:49 PM
Hello
@snarayanaraju wrote:
Thank you very much for your time sharing valuable details.
I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.
I had to lab this one up and it does seems to work dynamically (even without a vrf but shown for completeness), The connections will be stateless with no initiation from the outside nat domain applicable unless initiation is first performed from the inside nat domain.
Example:
ip vrf A
ip route vrf A 10.1.1.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.6.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.8.0 255.255.255.0 192.168.1.6
ip nat pool A 172.16.6.1 172.16.6.254 prefix-length 24 type match-host
ip nat pool B 172.16.8.1 172.16.8.254 prefix-length 24 type match-host
ip nat inside source list 1 pool A vrf A match-in-vrf
ip nat outside source list 2 pool B vrf A add-route
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
interface x/x
ip vrf forwarding A
ip address 192.168.1.1 255.255.255.252
ip nat inside
interface x/x
ip vrf forwarding A
ip address 192.168.1.5 255.255.255.252
ip nat outside
Host (inside) 10.1.1.4 <nat 172.16.6.4 <Host outside> 172.16.8.5 nat 10.1.1.5
sh ip nat translations vrf A
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.16.8.5 10.1.1.5
icmp 172.16.6.4:21 10.1.1.4:21 172.16.8.5:21 10.1.1.5:21
icmp 172.16.6.4:28 10.1.1.4:28 172.16.8.5:28 10.1.1.5:28
--- 172.16.6.4 10.1.1.4 --- ---
12-19-2019 08:34 AM
Hello
Is this a production setup or is it for lab testing, also the interfaces between RTR A-B and the NAT rtr are these in their own subnet with the overlapping subnet residing on the lan facing interfaces or each spoke rtr?
12-19-2019 09:47 AM
Thanks, Paul - Though this I am trying in the Lab, I am going to replicate this configuration in the Production.
The updated diagram is attached again.
The objective is Host in RTR-A needs to talk to Host RTR-B. But they are in the same subnet 10.1.1.0/24. I have to solve this problem by using NAT. How to achieve.
Note: I am able to successfully configure the NAT and InterVRF Routing if the LAN Subnet behind RTR-A and RTR-B are in different segments. I am struggling to achieve this configuration if the subnet is overlapping. Thanks
12-20-2019 06:08 AM - edited 12-20-2019 06:10 AM
Hello
@snarayanaraju wrote:
Thanks, Paul - Though this I am trying in the Lab, I am going to replicate this configuration in the Production.
The updated diagram is attached again.
The objective is Host in RTR-A needs to talk to Host RTR-B. But they are in the same subnet 10.1.1.0/24. I have to solve this problem by using NAT. How to achieve.
Note: I am able to successfully configure the NAT and InterVRF Routing if the LAN Subnet behind RTR-A and RTR-B are in different segments. I am struggling to achieve this configuration if the subnet is overlapping. Thanks
Have you considered natting on both spoke routers instead of the hub rtr using specific inside global addressing for each spoke, This should provide the connectivity between the overlapping subnets without using vrf .
Example:
RTR-NAT
ip route 172.16.10.0 255.255.255.0 interface xxx <facing rtr A
ip route 172.16.20.0 255.255.255.0 interface xxx <facing rtr B
RTR-A
access-list 1 permit 10.1.1.0 0.0.0.255
ip route 172.16.10.0 255.255.255.0 interface xxx <facing rtr NAT
ip route 0.0.0.0 0.0.0.0 interface x 192.168.1.1 <--<facing rtr NAT
ip nat pool A 172.16.10.1 172.16.10.254 prefix-length type match-host
ip nat inside source-list 1 pool A
RTR-B
access-list 1 permit 10.1.1.0 0.0.0.255
ip route 172.16.20.0 255.255.255.0 interface xxx <facing rtr NAT
ip route 0.0.0.0 0.0.0.0 interface x 192.168.1.5 <--<facing rtr NAT
ip nat pool B 172.16.20.1 172.16.20.254 prefix-length type match-host
ip nat inside source-list 1 pool B
12-22-2019 09:35 PM
Thank you very much for your time sharing valuable details.
I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.
12-23-2019 08:33 AM
Hello @snarayanaraju , @paul driver ,
look for this book Cisco Press MPLS L3 VPN volume II
http://www.ciscopress.com/store/mpls-and-vpn-architectures-volume-ii-9781587051128
it explains how to perform on hub NAT on HUB PE
Hope to help
Giuseppe
12-24-2019 07:48 AM - edited 12-24-2019 02:49 PM
Hello
@snarayanaraju wrote:
Thank you very much for your time sharing valuable details.
I cannot do the NAT at Spoke because the Spoke device doesnt allow to do NAT configuration. So we have to do the NAT in Hub only.
I had to lab this one up and it does seems to work dynamically (even without a vrf but shown for completeness), The connections will be stateless with no initiation from the outside nat domain applicable unless initiation is first performed from the inside nat domain.
Example:
ip vrf A
ip route vrf A 10.1.1.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.6.0 255.255.255.0 192.168.1.2
ip route vrf A 172.16.8.0 255.255.255.0 192.168.1.6
ip nat pool A 172.16.6.1 172.16.6.254 prefix-length 24 type match-host
ip nat pool B 172.16.8.1 172.16.8.254 prefix-length 24 type match-host
ip nat inside source list 1 pool A vrf A match-in-vrf
ip nat outside source list 2 pool B vrf A add-route
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
interface x/x
ip vrf forwarding A
ip address 192.168.1.1 255.255.255.252
ip nat inside
interface x/x
ip vrf forwarding A
ip address 192.168.1.5 255.255.255.252
ip nat outside
Host (inside) 10.1.1.4 <nat 172.16.6.4 <Host outside> 172.16.8.5 nat 10.1.1.5
sh ip nat translations vrf A
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.16.8.5 10.1.1.5
icmp 172.16.6.4:21 10.1.1.4:21 172.16.8.5:21 10.1.1.5:21
icmp 172.16.6.4:28 10.1.1.4:28 172.16.8.5:28 10.1.1.5:28
--- 172.16.6.4 10.1.1.4 --- ---
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide