Solved: Re: NAT VRF to Global - Can not reach attached NAT outside Network, but anything beyond

Kai Onken · ‎02-17-2020

Hello everyone,

I have a very strange behavior on a router with NAT from a VRF process in the global process.

I have the structure and configuration of the router which is in the appendix.

Part:

There is a network A with the subnet 192.168.12.0 / 24 in VLAN 101, which is connected via access to the L2 switch on port GigabitEthernet 1/0/1
There is a second network B with sadly is the same subnet 192.168.12.0 / 24 in VLAN 102, which is connected via access on the L2 switch on port GigabitEthernet 1/0/2
From the L2 switch a 802.1q trunk is setup to the Router, which ends in two sub-interfaces GigabitEthernet 0/1.101 and GigabitEthernet 0/1.102.

Result:

A Client from Network A can use ICMP Echo to get a replay form his gateway 192.168.12.1 – successful
A Client from Network B can use ICMP Echo to get a replay form his gateway 192.168.12.1 – successful

Part:

The router has a sub-interface GigabitEthernet 0/0.2540 which has the IP-Address 10.0.100.4, which is Network C
Inside Network C, there is a firewall connected, which has on a sub-interface Gi0.2540 the IP-Address 10.0.100.1
And there is a QNAP NAS System in Network C with the IP-Address 10.0.100.5.

Result:

The router can use ICMP Echo to get a replay form the firewall 10.0.100.1 – successful
The router can use ICMP Echo to get a replay form the NAS 10.0.100.5 – successful
The Firewall can use ICMP Echo to get a replay form the router 10.0.100.4 – successful
The Firewall can use ICMP Echo to get a replay form the NAS 10.0.100.5 – successful
The NAS can use ICMP Echo to get a replay form the NAS 10.0.100.1 – successful
The NAS can use ICMP Echo to get a replay form the router 10.0.100.4 – successful

Part

To the firewall a Network D is connected, to which the firewall has an interface GigabitEthernet 1 with the IP Address 10.0.200.1
Inside Network D there is a Server setup with the IP-Address 10.0.200.10

Result:

The router can use ICMP Echo to get a replay form the server 10.0.200.10 – successful
The Firewall can use ICMP Echo to get a replay form the server 10.0.200.10 – successful
The NAS can use ICMP Echo to get a replay form the server 10.0.200.10 – successful

Until this point everything is fine. Now the fun part.

Part

I configured NAT from VRF A to Global (see the configuration)
I configured NAT from VRF B to Global (see the configuration)

Result:

A Client from Network A use ICMP Echo to get a replay form the server 10.0.200.10 – successful
A Client from Network B use ICMP Echo to get a replay form the server 10.0.200.10 – successful

Fun part

A Client from Network A try ICMP Echo to get a replay form the NAS 10.0.100.5 – not working
A Client from Network A try ICMP Echo to get a replay form the Router 10.0.100.4 – not working
A Client from Network A try ICMP Echo to get a replay form the firewall 10.0.100.1 – not working
A Client from Network B try ICMP Echo to get a replay form the NAS 10.0.100.5 – not working
A Client from Network B try ICMP Echo to get a replay form the Router 10.0.100.4 – not working
A Client from Network B try ICMP Echo to get a replay form the firewall 10.0.100.1 – not working

Now the question: Why the heck can I ping to Network D and not to Network C?

HINT: Attachement NAT Config.pdf has been replace, was a copy NAT Drawing.pdf

HINT: Attachement NAT Drawing.pdf has been replace, was a typo int the gateway

paul driver · ‎02-19-2020

Hello
Looking at your topology, It suggests you will have encapsulation failure on the network C.
Your pointing the vrf hosts default route to the firewall but that NAS isnt residing behind the firewall its on a shared subnet, so try a host route in each vrf as suggested or another way to establish connection would to be to have a L3 between RTRK9, NAS & FW to provide the routing for that network C, or you could relocate the NAS behind the FW an then it should work.

What is interconnecting those 3 devcies ( K9, NAS,FW) ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Dan Frey · ‎02-19-2020

VRF_A does not have a connected interface on the 10.0.100.0 network so right now it only knows how to get to the firewall via the default gateway.

Add Set next hop to NAS server.

ip route vrf VRF_A 10.0.100.5 255.255.255.255 10.0.100.5 global

View solution in original post

Francesco Molino · ‎02-17-2020

Hi

Sorry but both files are the same. We have the drawing but not the config.
Can you attach the config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Vishnu Vardhan S · ‎02-18-2020

If the VRF leaking is good, i believe we need VRF route leaking on the router.

Try pinging the ip 10.0.100.4 from the VRF source 192.168.12.1

ping vrf VRF_A 10.0.100.4

does the above command works.

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Kai Onken · ‎02-18-2020

Hello here is the request Ping:

Ping the "outside" interface of the router with source 192.168.12.1

Router#ping vrf VRF_A 10.0.100.4 source 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
Router#

Ping the Server

Router#ping vrf VRF_A 10.0.200.10 source 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.200.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#

Kind regards

Vishnu Vardhan S · ‎02-18-2020

Post the routing table of the router to see the routes we have inside the VRF and the global routing table.

Check the routing table i think we are missing the networks of server inside the vrf routing table.

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Kai Onken · ‎02-18-2020

Hello,

Global routing table

Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.100.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.100.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.100.0/24 is directly connected, GigabitEthernet0/0.2540
L 10.0.100.4/32 is directly connected, GigabitEthernet0/0.2540
Router#

Rounting table of VRF_A

Router#show ip route vrf VRF_A

Routing Table: VRF_A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.100.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.100.1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, GigabitEthernet0/1.101
L 192.168.12.1/32 is directly connected, GigabitEthernet0/1.101
Router#

Rounting table of VRF_B

Router#show ip route vrf VRF_B

Routing Table: VRF_B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.100.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.0.100.1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, GigabitEthernet0/1.102
L 192.168.12.1/32 is directly connected, GigabitEthernet0/1.102
Router#

What do you have in your mind with "Check the routing table i think we are missing the networks of server inside the vrf routing table."

The Server is reachable, the NAS not.

Kind regards

Francesco Molino · ‎02-18-2020

Can you share the output of show ip nat translation when trying to reach NAS device?
default gateway for the NAS device is your firewall?
What firewall do you have?
Do you see any drops on your FW when reaching your NAS device?
If you have an ASA, you need to add the command same-security-traffic permit intra-interface because traffic arrives on interface (10.0.100.1/24) and get out within the same interface. Without this command, traffic won't pass through.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Kai Onken · ‎02-18-2020

Can you share the output of show ip nat translation when trying to reach NAS device?

Global ping test

Router#ping 10.0.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router#

Global traceroute

Router#traceroute 10.0.100.5
Type escape sequence to abort.
Tracing the route to 10.0.100.5
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.100.5 msec 0 msec 0 msec
Router#

Global NAT table

Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 10.0.100.4:137 192.168.12.100:137 X.X.X.X:137 X.X.X.X:137
udp 10.0.100.4:137 192.168.12.100:137 X.X.X.Y:137 X.X.X.Y:137
Router#

VRF_A ping test

Router#ping vrf VRF_A 10.0.100.5 source GigabitEthernet 0/1.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
Router#

VRF_A NAT table

Router#sh ip nat translations vrf VRF_A
Pro Inside global Inside local Outside local Outside global

icmp 10.0.100.4:2 192.168.12.1:2 10.0.100.5:2 10.0.100.5:2

Router#

VRF_B ping test

Router#ping vrf VRF_B 10.0.100.5 source GigabitEthernet 0/1.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.100.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1
.....
Success rate is 0 percent (0/5)
Router#

VRF_B NAT table

Router#sh ip nat translations vrf VRF_B
Pro Inside global Inside local Outside local Outside global

icmp 10.0.100.4:1 192.168.12.1:1 10.0.100.5:1 10.0.100.5:1
udp 10.0.100.4:137 192.168.12.100:137 X.X.X.X:137 X.X.X.X:137
udp 10.0.100.4:137 192.168.12.100:137 X.X.X.Y:137 X.X.X.Y:137
tcp 10.0.100.4:58607 192.168.12.100:58607 SomePublicIP:443 SomePublicIP:443
Router#

Default gateway for the NAS device is your firewall?

Yes

What firewall do you have?

Stonesoft

Do you see any drops on your FW when reaching your NAS device?

No, because the NAS is in the same Network as the routers "outside interface". There is no reason to pass or access the firewall.

If you have an ASA, you need to add the command same-security-traffic permit intra-interface because traffic arrives on interface (10.0.100.1/24) and get out within the same interface. Without this command, traffic won't pass through.

Kind regards

Kai

Dan Frey · ‎02-18-2020

VRFA only knows how to ARP for your default gateway which is a firewall and most likely blocks redirects. Can you try putting in a more specific route into VRFA for the 10.0.100.0 network with a next-hop of another device on the segment. Try pinging the 10.0.100.0 from VRFA again.

Kai Onken · ‎02-18-2020

Hello,

what kind of route?

Because the 192.168.12.0 /24 networks are connected to the router. The 10.0.100.0 /24 ,which contains the NAS, is also connected to router.

I could start writing a host route, but how will it look like?

ip route vrf VRF_A 10.0.100.5 255.255.255.255 to ?

Kind regards

Kai

Dan Frey · ‎02-19-2020

VRF_A does not have a connected interface on the 10.0.100.0 network so right now it only knows how to get to the firewall via the default gateway.

Add Set next hop to NAS server.

ip route vrf VRF_A 10.0.100.5 255.255.255.255 10.0.100.5 global

Kai Onken · ‎02-19-2020

Hello Danial,

thanks, that did it.

Kind regards

Kai

paul driver · ‎02-19-2020

Hello
Looking at your topology, It suggests you will have encapsulation failure on the network C.
Your pointing the vrf hosts default route to the firewall but that NAS isnt residing behind the firewall its on a shared subnet, so try a host route in each vrf as suggested or another way to establish connection would to be to have a L3 between RTRK9, NAS & FW to provide the routing for that network C, or you could relocate the NAS behind the FW an then it should work.

What is interconnecting those 3 devcies ( K9, NAS,FW) ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Kai Onken · ‎02-19-2020

Hello Paul,

Daniels answers works.

To your question a Cisco WS-C2960X-24...

Kind regards

Kai