It should work.

tiwang · ‎12-12-2015

hi out there

I have a - probably simple - problem - I try to use a common internet-breakout for customers with overlapping ip's so I have a lab running where I have 3 vrf's - with the same ip range - which i do a static inside nat to a individual ip range pr vrf - and this looks also fine - the traffic is natted onto the correct ip and send out - but I cannot get the traffic returned from global to the individual vrf's - in global I haven't got a route for each natted Network - how do I get the traffic returned to the correct vrf's?

vrf definition dk10
rd 65400:10
!
address-family ipv4
exit-address-family
!
vrf definition dk20
rd 65400:20
!
address-family ipv4
exit-address-family
!
vrf definition dk30
rd 65400:30
!
address-family ipv4
exit-address-family

interface FastEthernet0/0.1
encapsulation dot1Q 10
vrf forwarding dk10
ip address 100.112.10.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
vrf forwarding dk20
ip address 100.112.20.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
vrf forwarding dk30
ip address 100.112.30.1 255.255.255.0
!
interface FastEthernet0/1
ip address 100.112.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static network 172.22.16.0 100.112.1.0 /24 vrf dk10 extendable match-in-vrf
ip nat inside source static network 172.22.16.0 100.112.2.0 /24 vrf dk20 extendable match-in-vrf
ip nat inside source static network 172.22.16.0 100.112.3.0 /24 vrf dk30 extendable match-in-vrf
ip route 0.0.0.0 0.0.0.0 100.112.0.1

and for dk10 have I then added this - but it does only partly Work - I don't get the traffic back:

ip route 0.0.0.0 0.0.0.0 100.112.0.1
ip route 100.112.1.0 255.255.255.0 FastEthernet0/0.1
ip route vrf dk10 0.0.0.0 0.0.0.0 100.112.0.1 global

R0#ping vrf dk10 100.112.0.1 so lo 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.112.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.22.16.1

*Dec 12 13:49:45.175: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [95].
*Dec 12 13:49:47.175: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [96].
*Dec 12 13:49:49.175: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [97].
*Dec 12 13:49:51.175: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [98].
*Dec 12 13:49:53.175: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [99].
Success rate is 0 percent (0/5)

R0#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.112.1.1:18    172.22.16.1:18     100.112.0.1:18     100.112.0.1:18
icmp 100.112.1.1:19    172.22.16.1:19     100.112.0.1:19     100.112.0.1:19

probably a simple trick which is needed - but which?

br /ti

Masoud Pourshabanian · ‎12-12-2015

Hello,

You need to redirect the return traffic to the proper VRF.

Something like this

access-list 101 permit ip any 100.112.10.0 0.0.0.255 [to match return traffic. You may change its source]

access-list 102 permit ip any 100.112.20.0 0.0.0.255

access-list 103 permit ip any 100.112.30.0 0.0.0.255

route-map to-vrf permit 10
match ip address 101
set vrf dk10
!
route-map to-vrf permit 20
match ip address 102
set vrf dk20
!
route-map to-vrf permit 30
match ip address 103
set vrf dk30
!

interface FastEthernet0/1
ip policy route-map to-vrf

ip nat outside

Hope it helps,

Masoud

tiwang · ‎12-12-2015

hi Again

Thanks for the suggestion - looked at it was just the solution - but - I cannot get it to Work - see here

(deb ip nat detailed, deb ip policy and deb ip icmp)

*Dec 12 20:01:22.351: NAT: i: icmp (172.22.16.1, 10) -> (100.112.0.1, 10) [54]
*Dec 12 20:01:22.351: NAT: s=172.22.16.1->100.112.1.1, d=100.112.0.1 [54]
*Dec 12 20:01:22.371: IP: s=100.112.0.1 (FastEthernet0/1), d=100.112.1.1, len 100, FIB policy match
*Dec 12 20:01:22.371: IP: s=100.112.0.1 (FastEthernet0/1), d=100.112.1.1, len 100, PBR Counted
*Dec 12 20:01:22.371: IP: s=100.112.0.1 (FastEthernet0/1), d=100.112.1.1, len 100, FIB policy routed set vrf
*Dec 12 20:01:22.371: IP: s=100.112.0.1 (FastEthernet0/1), d=100.112.1.1, len 100, FIB policy match
*Dec 12 20:01:22.371: IP: s=100.112.0.1 (FastEthernet0/1), d=100.112.1.1, len 100, FIB policy routed set vrf.
Success rate is 0 percent (0/5)
R0#sh ip cef vrf dk10
Prefix               Next Hop             Interface
0.0.0.0/0            100.112.0.1          FastEthernet0/1
0.0.0.0/8            drop
0.0.0.0/32           receive
100.112.1.0/24       receive
100.112.10.0/24      attached             FastEthernet0/0.1
100.112.10.0/32      receive              FastEthernet0/0.1
100.112.10.1/32      receive              FastEthernet0/0.1
100.112.10.255/32    receive              FastEthernet0/0.1
127.0.0.0/8          drop
172.22.16.1/32       receive              Loopback10
224.0.0.0/4          drop
224.0.0.0/24         receive
240.0.0.0/4          drop
255.255.255.255/32   receive
R0#

Masoud Pourshabanian · ‎12-12-2015

It should work.

Configure an overload NAT and test again

Ip nat inside source list 101 interface FastEthernet0/1 overload

Ping from a client connected to vlan 10

Please share your last configuration.

tiwang · ‎12-12-2015

here is the output from the problematic router - currently the nat statement for vrf dk10 got removed - but the result is the same for the rest

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.12.12 20:44:13 =~=~=~=~=~=~=~=~=~=~=~=

R0#sh run
Building configuration...

Current configuration : 2845 bytes
!
! Last configuration change at 20:42:02 UTC Sat Dec 12 2015
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
!
vrf definition dk10
rd 65400:10
!
address-family ipv4
exit-address-family
!
vrf definition dk20
rd 65400:20
!
address-family ipv4
exit-address-family
!
vrf definition dk30
rd 65400:30
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface Loopback10
vrf forwarding dk10
ip address 172.22.16.1 255.255.255.255
!
interface Loopback20
vrf forwarding dk20
ip address 172.22.16.1 255.255.255.255
!
interface Loopback30
vrf forwarding dk30
ip address 172.22.16.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
vrf forwarding dk10
ip address 100.112.10.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
vrf forwarding dk20
ip address 100.112.20.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
vrf forwarding dk30
ip address 100.112.30.1 255.255.255.0
!
interface FastEthernet0/1
ip address 100.112.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map to-vrf
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static network 172.22.16.0 100.112.2.0 /24 vrf dk20 extendable match-in-vrf
ip nat inside source static network 172.22.16.0 100.112.3.0 /24 vrf dk30 extendable match-in-vrf
ip route 0.0.0.0 0.0.0.0 100.112.0.1
ip route vrf dk10 0.0.0.0 0.0.0.0 100.112.0.1 global
ip route vrf dk20 0.0.0.0 0.0.0.0 FastEthernet0/1 100.112.0.1
ip route vrf dk30 0.0.0.0 0.0.0.0 FastEthernet0/1 100.112.0.1
!
access-list 101 permit ip any 100.112.10.0 0.0.0.255
access-list 101 permit ip any 100.112.1.0 0.0.0.255
access-list 102 permit ip any 100.112.20.0 0.0.0.255
access-list 102 permit ip any 100.112.2.0 0.0.0.255
access-list 103 permit ip any 100.112.30.0 0.0.0.255
access-list 103 permit ip any 100.112.3.0 0.0.0.255
no cdp log mismatch duplex
!
route-map to-vrf permit 10
match ip address 101
set vrf dk10
!
route-map to-vrf permit 20
match ip address 102
set vrf dk20
!
route-map to-vrf permit 30
match ip address 103
set vrf dk30
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end

R0#

and here is a drawing of the topology

Masoud Pourshabanian · ‎12-12-2015

Problem is with your NAT.

Change NAT to the below configuration. Remove those interface loopbacks on this router.

Test ping from R1. Traffic must passes both inside and outside(NAT) in order for NAT to work.

ip nat pool my-ip-10 100.112.0.3 100.112.0.3 prefix-length 24
ip nat pool my-ip-20 100.112.0.4 100.112.0.4 prefix-length 24
ip nat inside source list 10 pool my-ip-10 overload
ip nat inside source list 20 pool my-ip-20 overload
!

access-list 10 permit 100.112.10.0 0.0.0.255

[Add hosts behind R1 to access-list 10]

access-list 20 permit 100.112.20.0 0.0.0.255

[Add hosts behind R2 to access-list 20]

for static NAT,

ip nat inside source 100.112.10.5 100.112.0.5 vrf dk10

Make sure traffic is allowed on ASA. Test this configuration and then share the last configuration if you have problem again.

Masoud

problem in routing natted traffic between vrf and global