Re: PAT from Global to VRF on ISR4461

Difan_Zhao · ‎03-26-2022

Hi experts,

I am trying to do PAT between Global VRF (Te0/0/4.1025) and the Internet VRF (Te0/0/5.109). Here is my config

interface TenGigabitEthernet0/0/4.1025
 encapsulation dot1Q 1025
 ip address 10.1.0.165 255.255.255.248
 ip nat inside
!
interface TenGigabitEthernet0/0/5.109
 encapsulation dot1Q 109
 vrf forwarding Internet
 ip address 1.1.1.1 255.255.254.0
 ip nat outside
!
ip nat pool POOL 1.1.1.2 1.1.1.4 netmask 255.255.254.0
ip nat inside source list INTERNAL pool POOL overload
!
ip access-list extended INTERNAL
 10 permit ip 10.0.0.0 0.255.255.255 any
!
ip route 0.0.0.0 0.0.0.0 TenGigabitEthernet0/0/5.109 1.1.1.254

First of all, is this type of NAT still be supported by Cisco on this platform? I am running IOS XE ver 17.04.01a. According to this link https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-17-1/nat-xe-17-x-book/iadnat-addr-consv.html#GUID-239DBA5C-AB96-41D2-AFD4-C81B4A86DEFF,

NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.

Anyway, so I tried to play with it and got some success.

1. I tried the same config in my EVE-NG lab with C8000V running the same version and it works fine

2. On the real router, I noticed that the Internet gateway (also managed by us) doesn't have the ARP entry for the NAT pool address 1.1.1.2 to 1.1.1.4. I added these addresses as the secondary on the NAT router on the Internet interface then took them out (in order to have an ARP entry on the Internet gateway) and it would work. (It won't work if I don't take them out). I could also add a static route on the Internet gateway for 1.1.1.2/32 to go to the next-hop 1.1.1.1 and it would also work... Why does the NAT router doesn't respond to ARP requests?

3. I also tried with "ip nat inside source list INTERNAL pool POOL egress-interface te0/0/5.109 overload". It won't give me a syntax error but in the show run the "egress-interface" part would be lost so it becomes "ip nat inside source list INTERNAL pool POOL overload"...

Any advice? Thanks!

Flavio Miranda · ‎03-26-2022

Proxy ARP maybe?

Difan_Zhao · ‎03-26-2022

Hi Flavio, if I understand you correctly, do you want me to enable Proxy ARP? Will that cause the NAT router to start acknowledging all ARP requests besides the IPs in the NAT pool..? Thanks.

paul driver · ‎03-27-2022

Hello

@Difan_Zhao wrote
.Any advice?

Using NAT VRF Global and nat pools , I have found its difficult to get the translation correct when not being able to use NVI NAT (domaimless nat) and especailly when the nat pool does not inclued the assigned outside wan ip address.

The way I have found works is via a route-map and to policy based route from the vrf table so any return traffic will be natted then leaked into the global rib table. Try the example below and re-test your connectivity.

Example pertaining to your OP
route-map NAT_PBR
match ip address INTERNAL
set global

int gig0/0/5.109
ip vrf forwarding Internet
ip nat ouside
ip policy route-map NAT_PBR

no ip nat inside source list INTERNAL pool POOL overload
ip nat inside source route-map NAT_PBR pool pverload

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul