cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
3
Replies

Natting with outside interface in VRF

rasmus.elmholt
Level 7
Level 7

HI everyone

I have already read this document: https://community.cisco.com/t5/security-documents/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555#toc-hId--753550695

But cannot get it to work.

I have the following setup, with R10 as a client and R8 as the router doing the NAT from eth0/1 in GR and e0/0 in VRF WAN.

dia.png

vrf definition WAN
 rd 65000:1
 !
 address-family ipv4
 exit-address-family
!
interface Ethernet0/0
 vrf forwarding WAN
 ip address 80.1.8.8 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
interface Ethernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip nat inside source list 1 interface Ethernet0/0 vrf WAN overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1
ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1
access-list 1 permit 192.168.0.0 0.0.0.255

And when I ping from the client or R8s LAN interface the packet(according to Wireshark) gets translated. but the reply does not get back.

R8#ping vrf WAN 80.1.8.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.1.8.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R8#ping 80.1.8.1 sou eth0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.1.8.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
..
Success rate is 0 percent (0/2)
!

What am I missing.

1 Accepted Solution

Accepted Solutions

If I added:
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global
I got it to work but only for 192.168.0.2 client. and not for the rest.

Change it all up and configured it with VASI and then it worked right away...

View solution in original post

3 Replies 3

Hello

Two options:
1) Add eth0/1 into the vrf WAN

int eth0/1
ip vrf forwarding WAN

or

2) Add a couple of statics so the global/vrf route tables are aware of each others interface and remove the dynamic nat statment from the VRF WAN as this subnet to be natted isnt in any vrf

no ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1
ip route vrf WAN 0.0.0.0 0.0.0.0 Ethernet0/0 80.1.8.1 global


ip route 8.1.8.8 255.255.255.255 Ethernet0/0
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global

no ip nat inside source list 1 interface Ethernet0/0 vrf WAN
ip nat inside source list 1 interface Ethernet0/0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

If I added:
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global
I got it to work but only for 192.168.0.2 client. and not for the rest.

Change it all up and configured it with VASI and then it worked right away...

Hello

 


@rasmus.elmholt wrote:
If I added:
ip route vrf WAN 192.168.0.0 255.255.255.0 192.168.0.2 global
I got it to work but only for 192.168.0.2 client. and not for the rest.

Change it all up and configured it with VASI and then it worked right away...

Well you really wouldn’t have end node subnet directly connected to a rtr, In reality it would be a L3 interface of that subnet where all hosts are reachable behind it , like a L3 switch so that staitic route points to the switches L3 interface as a next hop for all hosts


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card