Solved: NAT over VRF problem

WillD2013 · ‎04-21-2013

Good day, Thanks in advance for reading this note.

I'm about to pull out my hair trying to figure out this problem on ISR G2 1941. I'm running a VRF that uses NAT to access the WAN/Public network. I'm not able to access the WAN/Public network thru NAT from the Local LAN in the VRF.

Setup -

(Public Interface) 192.168.33.28 (Gateway 192.168.33.1) Interface G0/0 on ISR G2

*

(ISR G2 Gateway) 172.25.0.1 (VRF T172) Interface G0/1.172

*

(Local Lan) 172.25.0.0/24 (VRF T172) - Host 172.25.0.3

Problem -

I can ping the ISR and WAN interface from the host (172.25.0.2) however not able to NAT thru the WAN interface. The ISR gateway can ping the host on the lan and get translated to the external public network.

Relevent Config -

ip vrf T172

rd 172:1

ip cef

interface GigabitEthernet0/0

description PublicWAN

ip address dhcp

ip vrf forwarding T172

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description TrunkTOLANSwitch

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex full

speed 1000

interface GigabitEthernet0/1.172

description T172 Lab Interface

encapsulation dot1Q 172

ip vrf forwarding T172

ip address 172.25.0.1 255.255.255.0

no ip unreachables

ip flow ingress

ip nat inside

ip virtual-reassembly in

no cdp enable

ip nat inside source list T172LAN interface GigabitEthernet0/0 vrf T172 match-in-vrf overload

ip access-list extended T172LAN

permit ip 172.25.0.0 0.0.0.255 any

Troubleshooting -

From ISR G2

ISRG2#ping vrf T172 8.8.8.8 source 172.25.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 172.25.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/116/192 ms

ISRG2#ping vrf T172 172.25.0.2 source 172.25.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.25.0.2, timeout is 2 seconds:

Packet sent with a source address of 172.25.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ISRG2#show ip route vrf T172

Routing Table: T172

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 192.168.33.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.33.1

8.0.0.0/32 is subnetted, 1 subnets

S 8.8.8.8 is directly connected, GigabitEthernet0/0

172.25.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.25.0.0/24 is directly connected, GigabitEthernet0/1.172

L 172.25.0.1/32 is directly connected, GigabitEthernet0/1.172

192.168.33.0/32 is subnetted, 2 subnets

C 192.168.33.1 is directly connected, GigabitEthernet0/0

C 192.168.33.28 is directly connected, GigabitEthernet0/0

ISRG2#show ip nat translations vrf T172

Pro Inside global Inside local Outside local Outside global

icmp 192.168.33.28:228 172.25.0.1:228 192.168.33.1:228 192.168.33.1:228

icmp 192.168.33.28:229 172.25.0.1:229 192.168.33.28:229 192.168.33.28:229

icmp 192.168.33.28:230 172.25.0.1:230 8.8.8.8:230 8.8.8.8:230

icmp 192.168.33.28:231 172.25.0.1:231 198.80.55.1:231 198.80.55.1:231

icmp 192.168.33.28:27432 172.25.0.2:27432 8.8.8.8:27432 8.8.8.8:27432

Thanks in advance for your response!

blau grana · ‎04-22-2013

Hello Will,

Configuration seems OK, but can you provide entire config if there is not something wrong, lets say ACL which deny return traffic.

Can you try to #debug ip nat translat during ping from LAN host to see if IP addresses are translated?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

Vitaliy Zinatov · ‎04-21-2013

Could you show the routing table and network settings thats used on 172,25,0,3 host

Do you tried this variant of command without parameter

match-in-vrf

ip nat inside source list T172LAN interface GigabitEthernet0/0 vrf T172 overload

----------------------------------------------------------- Прошу вас оценивать и отмечать полезные для вас сообщения. Please rate helpful answers.

WillD2013 · ‎04-22-2013

Thanks Vitally for your response. I truly appreciate it.

I have tried changing the NAT config to your suggestion...

ip nat inside source list T172LAN interface GigabitEthernet0/0 vrf T172 overload

However, i'm still having the same problem. The host is just a regular windows client with a default route to 172.25.0.1.

blau grana · ‎04-22-2013

Hello Will,

Configuration seems OK, but can you provide entire config if there is not something wrong, lets say ACL which deny return traffic.

Can you try to #debug ip nat translat during ping from LAN host to see if IP addresses are translated?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

WillD2013 · ‎04-23-2013

Thank Blau for the tip... I think i found a bug. I monitored the output of debug ip nat translat... noticed that the packets where being translated properly. I then decided to add an ACL to the external interface to see if the traffic was being passed. Incredibly it started working... I had full connectivity from the lan host to the external network. I removed the ACL and it stopped. After some testing I found out that if i removed the "log" statement from the outbound ACL it didn't work. Weird.

In conclusion, I added an ACL "permit ip any any log" outbound on the WAN interface. Works. ACL with "permit ip any any" Doesn't work. This work around will be ok for me.

Thanks for all from your suggestions. I'm off to buy a lotto ticket now!