05-29-2020 12:26 AM
HI everyone
I have already read this document: https://community.cisco.com/t5/security-documents/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555#toc-hId--753550695
But cannot get it to work.
I have the following setup, with R10 as a client and R8 as the router doing the NAT from eth0/1 in GR and e0/0 in VRF WAN.
vrf definition WAN rd 65000:1 ! address-family ipv4 exit-address-family ! interface Ethernet0/0 vrf forwarding WAN ip address 80.1.8.8 255.255.255.0 ip nat outside ip virtual-reassembly in interface Ethernet0/1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip nat inside source list 1 interface Ethernet0/0 vrf WAN overload ip route 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1 ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1 access-list 1 permit 192.168.0.0 0.0.0.255
And when I ping from the client or R8s LAN interface the packet(according to Wireshark) gets translated. but the reply does not get back.
R8#ping vrf WAN 80.1.8.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 80.1.8.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R8#ping 80.1.8.1 sou eth0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 80.1.8.1, timeout is 2 seconds: Packet sent with a source address of 192.168.0.1 .. Success rate is 0 percent (0/2) !
What am I missing.
Solved! Go to Solution.
05-29-2020 03:36 AM
05-29-2020 01:52 AM - edited 05-29-2020 03:46 AM
Hello
Two options:
1) Add eth0/1 into the vrf WAN
int eth0/1
ip vrf forwarding WAN
or
2) Add a couple of statics so the global/vrf route tables are aware of each others interface and remove the dynamic nat statment from the VRF WAN as this subnet to be natted isnt in any vrf
no ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1
ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1 global
ip route 8.1.8.8 255.255.255.255 Ethernet0/0
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global
no ip nat inside source list 1 interface Ethernet0/0 vrf WAN
ip nat inside source list 1 interface Ethernet0/0
05-29-2020 03:36 AM
05-29-2020 03:45 AM - edited 05-29-2020 03:48 AM
Hello
@rasmus.elmholt wrote:
If I added:
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global
I got it to work but only for 192.168.0.2 client. and not for the rest.
Change it all up and configured it with VASI and then it worked right away...
Well you really wouldn’t have end node subnet directly connected to a rtr, In reality it would be a L3 interface of that subnet where all hosts are reachable behind it , like a L3 switch so that staitic route points to the switches L3 interface as a next hop for all hosts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide