03-26-2022 11:59 AM
Hi experts,
I am trying to do PAT between Global VRF (Te0/0/4.1025) and the Internet VRF (Te0/0/5.109). Here is my config
interface TenGigabitEthernet0/0/4.1025 encapsulation dot1Q 1025 ip address 10.1.0.165 255.255.255.248 ip nat inside ! interface TenGigabitEthernet0/0/5.109 encapsulation dot1Q 109 vrf forwarding Internet ip address 1.1.1.1 255.255.254.0 ip nat outside ! ip nat pool POOL 1.1.1.2 1.1.1.4 netmask 255.255.254.0 ip nat inside source list INTERNAL pool POOL overload ! ip access-list extended INTERNAL 10 permit ip 10.0.0.0 0.255.255.255 any
!
ip route 0.0.0.0 0.0.0.0 TenGigabitEthernet0/0/5.109 1.1.1.254
First of all, is this type of NAT still be supported by Cisco on this platform? I am running IOS XE ver 17.04.01a. According to this link https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-17-1/nat-xe-17-x-book/iadnat-addr-consv.html#GUID-239DBA5C-AB96-41D2-AFD4-C81B4A86DEFF,
NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.
Anyway, so I tried to play with it and got some success.
1. I tried the same config in my EVE-NG lab with C8000V running the same version and it works fine
2. On the real router, I noticed that the Internet gateway (also managed by us) doesn't have the ARP entry for the NAT pool address 1.1.1.2 to 1.1.1.4. I added these addresses as the secondary on the NAT router on the Internet interface then took them out (in order to have an ARP entry on the Internet gateway) and it would work. (It won't work if I don't take them out). I could also add a static route on the Internet gateway for 1.1.1.2/32 to go to the next-hop 1.1.1.1 and it would also work... Why does the NAT router doesn't respond to ARP requests?
3. I also tried with "ip nat inside source list INTERNAL pool POOL egress-interface te0/0/5.109 overload". It won't give me a syntax error but in the show run the "egress-interface" part would be lost so it becomes "ip nat inside source list INTERNAL pool POOL overload"...
Any advice? Thanks!
03-26-2022 01:10 PM
Proxy ARP maybe?
03-26-2022 01:37 PM
Hi Flavio, if I understand you correctly, do you want me to enable Proxy ARP? Will that cause the NAT router to start acknowledging all ARP requests besides the IPs in the NAT pool..? Thanks.
03-27-2022 07:26 AM - edited 03-27-2022 11:31 AM
Hello
@Difan_Zhao wrote.Any advice?
Using NAT VRF Global and nat pools , I have found its difficult to get the translation correct when not being able to use NVI NAT (domaimless nat) and especailly when the nat pool does not inclued the assigned outside wan ip address.
The way I have found works is via a route-map and to policy based route from the vrf table so any return traffic will be natted then leaked into the global rib table. Try the example below and re-test your connectivity.
Example pertaining to your OP
route-map NAT_PBR
match ip address INTERNAL
set global
int gig0/0/5.109
ip vrf forwarding Internet
ip nat ouside
ip policy route-map NAT_PBR
no ip nat inside source list INTERNAL pool POOL overload
ip nat inside source route-map NAT_PBR pool pverload
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide