Solved: Re: NAT overload VRF to Global

dampfhammer · ‎12-27-2021

On a C1101-4P two VRFs "ABC" and "DEF" and internet access on G0/0/0.

I'd like to NAT overload both VRFs (VLAN interfaces) to G0/0/0.

Here's the relevant config:

vlan 10
 name ABC
!
vlan 20
 name DEF

vrf definition ABC
 rd 10:10
 !
 address-family ipv4
  route-target export 10:10
  route-target import 10:10
 exit-address-family

vrf definition DEF
 rd 20:20
 !
 address-family ipv4
  route-target export 20:20
  route-target import 20:20
 exit-address-family

interface GigabitEthernet0/0/0
 description #W UPLINK-TO-INET
 ip address 1.2.3.1 255.255.255.248
 ip nat outside
 media-type rj45
 negotiation auto

interface Vlan10
 description #C ABC
 vrf forwarding ABC
 ip address 192.168.9.254 255.255.255.0
 ip nat inside
 standby version 2
 standby 10 ip 192.168.9.1
 standby 10 priority 110
 standby 10 preempt
 standby 10 name ABC

interface Vlan20
 description #C DEF
 vrf forwarding DEF
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 standby version 2
 standby 20 ip 172.16.0.1
 standby 20 priority 90
 standby 20 preempt
 standby 20 name DEF

ip nat inside source list ABC interface GigabitEthernet0/0/0 vrf ABC overload
ip nat inside source list DEF interface GigabitEthernet0/0/0 vrf DEF overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 1.2.3.2 name #DEFAULT-TO-INET
ip route vrf ABC 0.0.0.0 0.0.0.0 1.2.3.2 global name #DEFAULT-TO-INET-VRF-ABC
ip route vrf DEF 0.0.0.0 0.0.0.0 1.2.3.2 global name #DEFAULT-TO-INET-VRF-DEF

For testing purposes I have a Loopback Lo0 with IP 50.50.50.50/32 in Global routing table. Also, HSRP is not in use (second device not active).

I'm able to reach the IP's 192.168.9.254 and 192.168.9.1 from my client. But never the IP 50.50.50.50 or the INET interface.

Software version is: 17.03.04a (also tried with 16.12.05)

Can someone guide me in the right direction?

paul driver · ‎12-28-2021

Hello
I wasnt aware you didnt have a valid "next hop", the assumption was that you had.
I am quite sure a NAT rtr cannot translate to itself hence the failure, once you created a valid reachable "nexthop" then translation became appllicable.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-27-2021

Hello

@dampfhammer wrote:
I'm able to reach the IP's 192.168.9.254 and 192.168.9.1 from my client. But never the IP 50.50.50.50 or the INET interface.

Hello
Is the global route table aware of the VRF route tables for the return traffic, Try using "domainless-nat" instead as its nat order of operation is different

int gig0/0
ip nat enable
no ip nat outside

int vlan x
ip nat enable
no ip nat inside

no ip nat inside source list ABC interface GigabitEthernet0/0/0 vrf ABC overload
no ip nat inside source list DEF interface GigabitEthernet0/0/0 vrf DEF overload

ip nat source list ABC interface GigabitEthernet0/0/0 vrf ABC overload
ip nat source list DEF interface GigabitEthernet0/0/0 vrf DEF overload

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dampfhammer · ‎12-27-2021

hi Paul

I've made the changes (ip nat enable).

But the

ip nat source list ...

command is not available on the C1101-4P.

I've only the following options:

router(config)#ip nat ?
  create       Create flow entries
  inside       Inside address translation
  log          NAT Logging
  name         Rule name
  outside      Outside address translation
  pool         Define pool of addresses
  route        Establish NAT static routes
  service      Special translation for application using non-standard port
  settings     NAT general settings
  switchover   NAT datapath switchover
  translation  NAT translation entry configuration

After setting the command 'ip nat enable' on the interfaces, I where not able to connect to the router until I added a deny-statement to the ACL 'ABC' like this:

 ip access-list extended ABC
 10 deny ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255
 20 permit ip 192.168.9.0 0.0.0.255 any

Also, I tried to add a static route in Global VRF to route back VRF traffic:

ip route 192.168.9.0 0.0.0.255 Vlan10

But that didn't help either.

paul driver · ‎12-28-2021

Hello
I am wondering if this is plaform specific because you are using svi interfaces (vlans), Would it be possible to use subinterfaces instead and test?

int x/x
description lan facing
no shut

int x/x.10
encapsulation dot1Q 10
ip vrf forwarding ABC
ip address 192.168.9.254 255.255.255.0
ip nat inside

int x/x.20
encapsulation dot1Q 20
ip vrf forwarding DEF
ip address 172.16.0 254 255.255.255.0
ip nat inside

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dampfhammer · ‎12-28-2021

Very strange... probably just found the issue!

To test NAT functionality I had only one C1101-4P and tried to reach 50.50.50.50/32 on Lo0 in Global VRF from my client in VRF ABC.

This C1101-4P has it's default route in Global VRF to (1.2.3.2). This IP was NOT reachable (it's a lab...). That's why I created the Lo0.

I grabbed a second C1101-4P, connected the two WAN ports together and configured the IP 1.2.3.2/29 on the second C1101-4P. Now the first C1101-4P router can reach it's default gateway in VRF Global.

On the second C1101-4P I created an Lo0 with 50.50.50.50/32 and deleted the Lo0 on the first one.

Now I can reach the 50.50.50.50 from my client! Here's the NAT and ARP table:

router#show ip nat translations vrf ABC
Pro  Inside global         Inside local          Outside local         Outside global
icmp 1.2.3.1:39679  192.168.9.2:39679     50.50.50.50:39679     50.50.50.50:39679
Total number of translations: 1

router#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  1.2.3.2           7   c44d.8458.1400  ARPA   GigabitEthernet0/0/0
Internet  1.2.3.1          -   c44d.8458.0280  ARPA   GigabitEthernet0/0/0

Seems a strange behaviour when the default gateway is not reachable in combination with a local Loopback.

I really don't have an explanation for this. But the setup itself works so far.

Anyway - thank you for your help Paul.

paul driver · ‎12-28-2021

Hello
I wasnt aware you didnt have a valid "next hop", the assumption was that you had.
I am quite sure a NAT rtr cannot translate to itself hence the failure, once you created a valid reachable "nexthop" then translation became appllicable.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dampfhammer · ‎12-28-2021

Sorry I didn't mention that... Thought the Loopback will do the trick for labing purposes.

Regards, Roland