I am trying to do PAT between Global VRF (Te0/0/4.1025) and the Internet VRF (Te0/0/5.109). Here is my config
encapsulation dot1Q 1025
ip address 10.1.0.165 255.255.255.248
ip nat inside
encapsulation dot1Q 109
vrf forwarding Internet
ip address 184.108.40.206 255.255.254.0
ip nat outside
ip nat pool POOL 220.127.116.11 18.104.22.168 netmask 255.255.254.0
ip nat inside source list INTERNAL pool POOL overload
ip access-list extended INTERNAL
10 permit ip 10.0.0.0 0.255.255.255 any ! ip route 0.0.0.0 0.0.0.0 TenGigabitEthernet0/0/5.109 22.214.171.124
NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.
Anyway, so I tried to play with it and got some success.
1. I tried the same config in my EVE-NG lab with C8000V running the same version and it works fine
2. On the real router, I noticed that the Internet gateway (also managed by us) doesn't have the ARP entry for the NAT pool address 126.96.36.199 to 188.8.131.52. I added these addresses as the secondary on the NAT router on the Internet interface then took them out (in order to have an ARP entry on the Internet gateway) and it would work. (It won't work if I don't take them out). I could also add a static route on the Internet gateway for 184.108.40.206/32 to go to the next-hop 220.127.116.11 and it would also work... Why does the NAT router doesn't respond to ARP requests?
3. I also tried with "ip nat inside source list INTERNAL pool POOL egress-interface te0/0/5.109 overload". It won't give me a syntax error but in the show run the "egress-interface" part would be lost so it becomes "ip nat inside source list INTERNAL pool POOL overload"...
Using NAT VRF Global and nat pools , I have found its difficult to get the translation correct when not being able to use NVI NAT (domaimless nat) and especailly when the nat pool does not inclued the assigned outside wan ip address.
The way I have found works is via a route-map and to policy based route from the vrf table so any return traffic will be natted then leaked into the global rib table. Try the example below and re-test your connectivity.
Example pertaining to your OP route-map NAT_PBR match ip address INTERNAL set global
int gig0/0/5.109 ip vrf forwarding Internet ip nat ouside ip policy route-map NAT_PBR
no ip nat inside source list INTERNAL pool POOL overload ip nat inside source route-map NAT_PBR pool pverload
Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Listen: https://smarturl.it/CCRS9E25 Follow us: twitter.com/ciscochampions
With applications and users everywhere, the networks are now, more than ever, being tasked with delivering consistent protection while providing an exceptional user exper...
Listen: https://smarturl.it/CCRS9E24 Follow us: https://twitter.com/CiscoChampion
Cisco Radio Aware Routing addresses several of the challenges faced when merging IP routing and radio communications in mobile networks, especially those exhibiti...
Listen: https://smarturl.it/CCRS9E23 Follow us: https://twitter.com/CiscoChampion The Wi-Fi 6E Catalyst 9136 access point takes advantage of the 6-GHz band to produce a network that is more reliable and secure, with higher throughput, more ...
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes.