cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
2
Replies

NAT from VRF to transit router failing when traffic returns to different VRF on NAT router

Elliott Willink
Level 1
Level 1

Hi All,

I'm having a battle with NAT between VRF's.. Basically, we have VRF's that have customer prefixes only, plus a default route from a transit router in the global table. Customers NAT to everything that isn't in their VRF.

Everything works flawlessly, except if traffic needs to be NAT'ed between a VRF and a public IP in another VRF. Essentially what should happen if customer A wants to talk to the CPE of Customer B, is that it sends the packet out towards the transit router, NAT translates the packet to the external IP as per the NAT config (which works fine), the transit router then returns the packet back to the same router, which (I imagine?) should treat it like any other packet from a public IP.

What is actually happening though, is the packet gets NAT'ed as normal and sent to the transit router. The transit router then returns the packet back to the router as expected, but then it goes missing.... 

I'm thinking it has to be something to do with the router not liking a source-NAT translated packet returning on an "outside" interface, but I don't understand why (or how to fix it). I can't see anything fundamentally wrong with what I am trying to achieve here, aside from the obvious that it doesn't work :)

If I insert a route into the VRF's directly to the other VRF (So, in VRF A, I insert a static route to CPE inside VRF B) it works fine (so if the NAT-translated packet doesn't go out to transit and back in).

Any thoughts on how this can be made to work would be very much appreciated!


Simplified config as follows:

ip vrf ONE
rd 1:1
route-target both 1:1
import ipv4 unicast map DEFAULT-ROUTE-ONLY (This is just a 0.0.0.0/0 prefix)
!

ip vrf TWO
rd 2:2
route-target both 2:2
import ipv4 unicast map DEFAULT-ROUTE-ONLY (This is just a 0.0.0.0/0 prefix)
!

Int Te0/0/1.1
description CUSTOMER 1
ip vrf forwarding ONE
ip address 10.0.0.254
ip nat inside
!
Int Te0/0/1.2
description CUSTOMER 2
ip vrf forwarding TWO
ip address 192.168.0.254
ip nat inside
!
Int Te0/0/2
description TRANSIT
ip address 202.56.56.1
ip nat outside
!

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
ip nat pool NAT-VRF1 103.0.0.1 103.50.50.1 prefix-length 24
ip nat pool NAT-VRF2 103.0.0.2 103.50.50.2 prefix-length 24
ip nat inside source list 1 pool NAT-VRF1 vrf ONE overload
ip nat inside source list 2 pool NAT-VRF2 vrf ONE overload

Sh ip route vrf ONE
B 0.0.0.0/0 via 202.56.56.2
C 10.0.0.0/24 is directly connected, Int Ten0/0/1.1
B 103.50.50.3/32 via 10.255.0.61, (Route from CPE over VPN)

Sh ip route vrf TWO
B 0.0.0.0/0 via 202.56.56.2
C 192.168.0.0/24 is directly connected, Int Ten0/0/1.2
B 103.50.50.35/32 via 10.255.0.97, (Route from CPE over VPN)

As above,

So a ping from 10.0.0.123 inside VRF ONE to 103.50.50.35 (CPE via VPN inside VRF TWO):

What should happen:

Source 10.0.0.123 > 202.56.56.2 (Transit router) > 202.56.56.1 (Public IP of transit interface on VRF router) > 103.50.50.35 (CPE)

What actually happens:

Source 10.0.0.123 > 202.56.56.2 (Transit router) > nothing, presumably forwarded back to transit and then goes nowhere

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

I don't know the answer.

Try making the NAT's reversible.

ip nat inside source list 1 pool NAT-VRF1 vrf ONE overload reversible
ip nat inside source list 2 pool NAT-VRF2 vrf ONE overload reversible

Unfortunately it looks like IOS-XE on the ASR1K is missing this command completely!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: