Solved: NAT from Outside Global to VRF Lite

mrmadgig · ‎06-07-2017

Hello,

I have been trying to get this to work for a few days now and I have read all that I can on this but for the life of me cannot seem to get it to work. I am trying to port level NAT from the internet as if a server was to be contacted on a customer LAN on the VRF. I am using VRF-Lite.

I am successful in surfing the internet.

In my lab scenario I only have one Public IP via DHCP and this forces me to use the same NAT Pool for both VRF's as you can see in the config.

I also used IP NAT ENABLE (NVI NAT) and it still did not work.

I have tried many ip nat source INSIDE and

ip nat inside source static tcp 192.168.222.1 3389 67.xxx.xxx.46 3389 vrf GREEN extendable

What I am thinking is that when the source is initiated from the outside which is the GLOBAL routing table it has no idea how to get to the VRF that I am natting too. I don't have much experience with this so I am hoping someone will help me correct this config.

Thank you

Joseph

Francesco Molino · ‎06-07-2017

Hi,

In your config, your nat is:

ip nat inside source static tcp 192.168.222.0 3389 67.xxx.xxx.46 3389 vrf GREEN extendable

I don't know if you modified the LAN IP of your server or if you really have this config, but you need to set the right server IP 192.168.222.x and not the network address.

can you also share the output of :

sh ip nat trans vrf GREEN

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-07-2017

Hi,

In your config, your nat is:

ip nat inside source static tcp 192.168.222.0 3389 67.xxx.xxx.46 3389 vrf GREEN extendable

I don't know if you modified the LAN IP of your server or if you really have this config, but you need to set the right server IP 192.168.222.x and not the network address.

can you also share the output of :

sh ip nat trans vrf GREEN

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mrmadgig · ‎06-07-2017

Hello Francesco

Thanks for seeing that error. I did some modifications and corrected that and still does not work.

I changed the port to 80 instead of 3389 anyhow it is a default IIS page on a PC on this VRF

See updated NAT below.

ip nat pool GLOBALVRF 67.191.48.46 67.191.48.46 netmask 255.255.254.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list BLUE pool GLOBALVRF vrf BLUE overload
ip nat inside source list GREEN pool GLOBALVRF vrf GREEN overload
ip nat inside source static tcp 192.168.222.1 80 67.191.48.46 80 vrf GREEN extendable
ip route vrf BLUE 0.0.0.0 0.0.0.0 67.191.48.1 global
ip route vrf GREEN 0.0.0.0 0.0.0.0 67.191.48.1 global

VRF3825#sh ip nat trans vrf GREEN
Pro Inside global Inside local Outside local Outside global
tcp 67.191.48.46:80 192.168.222.1:80 --- ---
udp 67.191.48.46:1030 192.168.222.1:53463 157.56.149.60:3544 157.56.149.60:3544
tcp 67.191.48.46:57719 192.168.222.1:57719 52.20.62.78:443 52.20.62.78:443
tcp 67.191.48.46:57725 192.168.222.1:57725 40.77.224.255:443 40.77.224.255:443
tcp 67.191.48.46:57742 192.168.222.1:57742 65.52.108.182:443 65.52.108.182:443
tcp 67.191.48.46:57789 192.168.222.1:57789 107.20.222.60:443 107.20.222.60:443
tcp 67.191.48.46:57830 192.168.222.1:57830 93.184.216.172:443 93.184.216.172:443
tcp 67.191.48.46:57841 192.168.222.1:57841 52.20.62.78:443 52.20.62.78:443
tcp 67.191.48.46:57842 192.168.222.1:57842 52.204.171.214:443 52.204.171.214:443
tcp 67.191.48.46:57843 192.168.222.1:57843 38.99.166.209:443 38.99.166.209:443
tcp 67.191.48.46:57849 192.168.222.1:57849 192.243.250.68:443 192.243.250.68:443
tcp 67.191.48.46:57850 192.168.222.1:57850 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57851 192.168.222.1:57851 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57860 192.168.222.1:57860 162.247.242.18:443 162.247.242.18:443
tcp 67.191.48.46:57861 192.168.222.1:57861 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57862 192.168.222.1:57862 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57863 192.168.222.1:57863 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57865 192.168.222.1:57865 104.16.120.49:443 104.16.120.49:443
tcp 67.191.48.46:57869 192.168.222.1:57869 172.217.8.110:443 172.217.8.110:443
tcp 67.191.48.46:57870 192.168.222.1:57870 54.85.40.222:443 54.85.40.222:443
tcp 67.191.48.46:57873 192.168.222.1:57873 104.16.2.9:443 104.16.2.9:443
tcp 67.191.48.46:57876 192.168.222.1:57876 52.3.45.52:443 52.3.45.52:443
tcp 67.191.48.46:57877 192.168.222.1:57877 52.3.45.52:443 52.3.45.52:443
tcp 67.191.48.46:57878 192.168.222.1:57878 52.3.45.52:443 52.3.45.52:443
tcp 67.191.48.46:57879 192.168.222.1:57879 52.3.45.52:443 52.3.45.52:443
tcp 67.191.48.46:57880 192.168.222.1:57880 52.3.45.52:443 52.3.45.52:443
tcp 67.191.48.46:57884 192.168.222.1:57884 23.23.225.186:443 23.23.225.186:443
tcp 67.191.48.46:57886 192.168.222.1:57886 52.3.97.114:443 52.3.97.114:443
tcp 67.191.48.46:57888 192.168.222.1:57888 54.221.192.53:443 54.221.192.53:443
tcp 67.191.48.46:57893 192.168.222.1:57893 52.20.62.78:443 52.20.62.78:443
tcp 67.191.48.46:57895 192.168.222.1:57895 34.199.167.1:443 34.199.167.1:443
tcp 67.191.48.46:57896 192.168.222.1:57896 72.163.10.10:443 72.163.10.10:443
tcp 67.191.48.46:57897 192.168.222.1:57897 52.1.172.82:443 52.1.172.82:443
tcp 67.191.48.46:57898 192.168.222.1:57898 52.20.62.78:443 52.20.62.78:443
tcp 67.191.48.46:57899 192.168.222.1:57899 52.1.172.82:443 52.1.172.82:443
udp 67.191.48.46:60781 192.168.222.1:60781 172.217.8.110:443 172.217.8.110:443
udp 67.191.48.46:62203 192.168.222.1:62203 8.8.8.8:53 8.8.8.8:53
udp 67.191.48.46:65083 192.168.222.1:65083 8.8.8.8:53 8.8.8.8:5

Also how to you make the text for the code like yours?

Thank you

Joseph

Francesco Molino · ‎06-07-2017

I review your config and don't know if it's complete or if you have hidden something.

Can you configure these commands please and let me know?

access-list 100 permit ip any 192.168.222.0 0.0.0.255
!
route-map PBR permit 10
 match ip address 100
 set vrf GREEN
!
interface g0/0
 ip policy route-map PBR

The code is showing that way when I do a copy paste from my text editor.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mrmadgig · ‎06-07-2017

Hi

I am not hiding anything I just showed the ip nat section.

I didn't apply your code and it works. However I am very interested in applying your code. I was looking for something like that.

Let me try tomorrow

Thank you Francesco

Joseph

Francesco Molino · ‎06-07-2017

Ok then as I said on my first post the config was ok except the nat you corrected.

The route-map is used for route leaking between global and vrf.

It won't impact your config.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mrmadgig · ‎06-07-2017

Ok fixed for now let me poke around thanks. I have been at it too long making mistakes chasing my tail.