Solved: NAT not applying to VRF's

Glenn Matthys · ‎12-30-2012

I'm experimenting with VRF's, I'm trying to do NAT from one VRF to another, using a loopback interface.

I have one internet VRF (BLUE) and one "local" VRF (RED), and translation has to happen in the RED VRF. I've created a loopback interface which has the "special" IP address, 192.168.2.100. I'm trying to get all packets from Vlan1 with source 192.168.1.0/24 to be source translated to loopback0's IP, 192.168.2.100, so packets coming in on Vlan1 should leave out of fa0 with IP address 192.168.2.100. Right now, that's not happening... packets leave fa0 but with their original source address.

So I got the inter-VRF routing to work using BGP, but the NAT rule doesn't do anything... That's where I'm stuck. Here's my configuration:

!

! Last configuration change at 15:48:41 UTC Sun Dec 30 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

boot-start-marker

boot-end-marker

!

vrf definition BLUE

rd 65000:2

route-target export 65000:2

route-target import 65000:1

!

address-family ipv4

exit-address-family

!

vrf definition RED

rd 65000:1

route-target export 65000:1

route-target import 65000:2

!

address-family ipv4

exit-address-family

!

logging buffered 16384

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

dot11 syslog

no ip source-route

!

ip cef

ip domain name ciscolab

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO1811/K9 sn xxx

vtp mode transparent

username admin privilege 15 password 0 admin

!

ip ssh version 2

ip ssh pubkey-chain

username admin

key-hash ssh-rsa xxx

quit

!

bridge irb

!

interface Loopback0

vrf forwarding RED

ip address 192.168.2.100 255.255.255.255

ip nat outside

ip nat enable

ip virtual-reassembly in

!

interface FastEthernet0

vrf forwarding BLUE

ip address 192.168.0.5 255.255.255.0

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet1

no ip address

ip virtual-reassembly in

shutdown

duplex auto

speed auto

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

!

interface FastEthernet9

no ip address

!

interface Vlan1

vrf forwarding RED

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly in

!

router bgp 65000

bgp log-neighbor-changes

!

address-family ipv4 vrf BLUE

redistribute connected

exit-address-family

!

address-family ipv4 vrf RED

redistribute connected

exit-address-family

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat source list NAT interface Loopback0 vrf RED overload

!

ip access-list extended NAT

permit ip 192.168.1.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

!

route-map test permit 10

!

control-plane

!

line con 0

speed 115200

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login local

transport input all

!

end

Wouter Prins · ‎12-30-2012

Solved on IRC

View solution in original post

Wouter Prins · ‎12-30-2012

Solved on IRC

Glenn Matthys · ‎12-30-2012

With the help from above, looks like I messed up my NAT configuration but just not saw it. For completeness, the entire working configuration:

Current configuration : 2532 bytes

!

! Last configuration change at 21:48:59 UTC Sun Dec 30 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r3

!

boot-start-marker

boot-end-marker

!

vrf definition BLUE

rd 65000:2

route-target export 65000:2

route-target import 65000:1

!

address-family ipv4

exit-address-family

!

vrf definition RED

rd 65000:1

route-target export 65000:1

route-target import 65000:2

!

address-family ipv4

exit-address-family

!

logging buffered 16384

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

dot11 syslog

no ip source-route

!

ip cef

ip domain name ciscolab

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO1811/K9 sn xxxx

vtp mode transparent

username admin privilege 15 password 0 xxxx

!

ip ssh version 2

ip ssh pubkey-chain

username admin

key-hash ssh-rsa xxxx

quit

!

bridge irb

!

interface Loopback0

vrf forwarding RED

ip address 192.168.2.100 255.255.255.255

ip nat outside

ip virtual-reassembly in

!

interface FastEthernet0

vrf forwarding BLUE

ip address 192.168.0.5 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet1

no ip address

ip virtual-reassembly in

shutdown

duplex auto

speed auto

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

!

interface FastEthernet9

no ip address

!

interface Vlan1

vrf forwarding RED

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Async1

no ip address

encapsulation slip

!

router bgp 65000

bgp log-neighbor-changes

!

address-family ipv4 vrf BLUE

redistribute connected

exit-address-family

!

address-family ipv4 vrf RED

redistribute connected

exit-address-family

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list NAT interface Loopback0 vrf RED overload

!

ip access-list extended NAT

permit ip 192.168.1.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

!

route-map test permit 10

!

control-plane

!

line con 0

speed 115200

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login local

transport input all

!

end