Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
2
Replies

NAT overload multiple outside IPs to various VRF's

mtbtrailcarver
Level 1
Level 1

‎11-12-2016 02:23 PM - edited ‎03-05-2019 07:28 AM

tl;dr: I have 2911 with a single outside interface and its own external IP address on it. I have 3 VRFs one this router, each VRF has an ASA then a L3 switch. I have a /28 from my ISP. How can I NAT each VRF to it's own seperate external IP?

My boss might be asking the impossible but there must be a way to pull this off. I've taught myself quite a bit these last couple days but I've hit a snag. I have a lot of experience with ASA's and switches but not as much with routers.

We have a production, development, and testing environment that all have their own firewall on our edge. Behind them is a L3 switch that handles all the internal routing/switching. All three have the exact same VLAN and IP scheme.

Our new internet content filtering service needs GRE's built to their cloud. What the higher ups are thinking is that we should be able to put a router on the edge and tuck all three environments behind the same router.

What I've mocked up so far is a 2911 with a VRF for each environment and one more so they can share the connection out to the internet. I've got BGP working between them (that's how I got them the route out) and I can NAT overload the outside interface and get hosts from inside the VRF's out onto the internet using the IP of the outside interface.

My immediate problem is how can I NAT overload each VRF to it's own external IP? I have a /28 from the ISP to play with. I can't just translate an external IP to a firewall's outside IP and then run PAT at the firewall either because when I start building and trying to pump traffic through the GRE's the traffic needs to have it's original IP address.

I've been browsing the forum for three days now. I don't necessarily need someone to detail for me how to do this (though you're more than welcome to!). I at least need some guidance on what concept(s) to research to get me going.

Thanks!

Kyle

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎11-13-2016 12:10 PM

Hello,

I am thinking, subinterfaces on the outside interface and vrf forwarding...

Can you post the config of your router ? I want to lab this in GNS3...

0 Helpful

mtbtrailcarver
Level 1
Level 1
In response to Georg Pauwen

‎11-13-2016 07:23 PM

Sure! Couple updates though...

I kept pounding at it this weekend and think I have a working model. Right now there's just one ASA being NAT'ed out and only one set of GRE's built (the one for the same environment). I don't know if what I have is the best way to do this. Also not entirely sure this won't all collapse once I start putting the other two environments on their VRF's. I did manage to figure out how to get the VRF's out onto the internet without the use of the SHARED VRF and without BGP.

I wouldn't mind suggestions on how subinterfaces on the outside interface would look. I'm attaching a quick sketch of what I think this will all look like when it's live and I'll have a new challenge that it might solve. We have two /28's at our HQ. When this is all done our Production environment and our WiFi environment will need to NAT a pair of IP's in one /28 and our development and test environments will NAT to a pair in the other.

Sorry if this is info overload. Attached is the current running of the 2911 and the sketch. I know there are some things I need to clean up since I'm not using BGP, and I still need to start EIGRP on the VRF's so I can ditch the static routes, but this is where I am.

Thanks!

Preview file
426 KB
Preview file
8 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card