06-26-2023 11:23 AM - last edited on 07-05-2023 05:26 AM by Translator
Hello
I have the following setup in my lab - see configuration further down.
The issue is that I do not get response on
NAT
The idea is to import routes from several VRFs into one common VRF to provide internet connectivity.
Doing a debug on the router, I see
*Jun 26 17:35:14.595: IP: s=172.16.1.2 (Ethernet0/1), d=192.168.1.100, len 84, input feature
*Jun 26 17:35:14.595: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(56), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 26 17:35:14.595: IP: s=172.16.1.2 (Ethernet0/1), d=192.168.1.100, len 84, input feature
*Jun 26 17:35:14.595: ICMP type=8, code=0, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 26 17:35:14.595: FIBipv4-packet-proc: route packet from Ethernet0/1 src 172.16.1.2 dst 192.168.1.100
*Jun 26 17:35:14.595: FIBfwd-proc: z100_internet_access:192.168.1.100/32 receive entry
*Jun 26 17:35:14.595: FIBipv4-packet-proc: packet routing failed
*Jun 26 17:35:14.595: IP: tableid=1, s=172.16.1.2 (Ethernet0/1), d=192.168.1.100 (Ethernet0/0), routed via RIB
*Jun 26 17:35:14.595: NAT: s=172.16.1.2->192.168.1.100, d=192.168.1.100 [52304]
On the firewall I can see the return traffic.
IP Packet Header
IP Type: ICMP(0x1), src=[8.8.8.8], Dst=[192.168.1.100]
ICMP Packet Header
ICMP Type = 0(ECHO_REPLY), ICMP Code = 0, ICMP Checksum = 8257
Value:[0]
Forwarded 1:1)
Here is the configuration on the router
conf t
hostnaeme dc01-r-wan-01
!*************define vrf z100_internet_access for zone Z100
!Z100 is a common zone
vrf definition z100_internet_access
rd 100:100
route-target BOTH 100:100
route-target import 99:99
address-family ipv4
exit
exit
!*************create the vrf internet access
!Z100 is a common zone
vrf definition internet_access
rd 99:99
route-target BOTH 99:99
route-target import 100:100
address-family ipv4
exit
exit
!*************define int eth0/0 - out interface vrf z100_internet_access
int eth0/0
vrf forwarding internet_access
no shut
ip address 192.168.1.100 255.255.255.0
ip nat outside
exit
!*************define int eth0/1 - in interface vrf z100_internet_access
int eth0/1
vrf forwarding z100_internet_access
ip address 172.16.1.1 255.255.255.252
no shut
ip nat inside
exit
ip route vrf internet_access 0.0.0.0 0.0.0.0 192.168.1.1
!*************create bgp for route leaking between VRFs
router bgp 65000
bgp router-id 1.1.1.1
address-family ipv4 vrf z100_internet_access
redistribute connected
!network 172.16.1.0 mask 255.255.255.252
exit
address-family ipv4 vrf internet_access
!no redistribute connected
default-information originate
redistribute static
exit
!*************define ACL for NAT
ip access-list standard ACL-COMMON-INTERNET
permit 172.16.1.0 0.0.0.3
exit
!*************define RM for NAT
route-map RM-COMMON-INTERNET permit 10
match ip address ACL-COMMON-INTERNET
!ip route vrf internet_access 192.168.1.0 255.255.255.0 Null0
!*************define NAT
ip nat pool NAT-COMMON-INTERNET 192.168.1.100 192.168.1.100 prefix-length 30
ip nat inside source route-map RM-COMMON-INTERNET pool NAT-COMMON-INTERNET vrf z100_internet_access match-in-vrf overload
Any tips much appreciated.
Attached picture with the evironment.
Best regards!
Solved! Go to Solution.
07-01-2023 02:06 AM
I have found this solution here which works fin.
https://community.cisco.com/t5/routing/nat-overload-from-vrf-to-global/td-p/3389728
Thank you all for your support in this matter.
Best regards!
06-26-2023 11:19 PM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur70424
M.
06-27-2023 09:18 AM - last edited on 07-05-2023 05:31 AM by Translator
Hello Marce, thank you for your reply.
the router I have in GNS3 is not aware of
SDM
command.
Maybe there is another router type I could use in the GNS3 env to avoid this issue?
Best regards!
06-27-2023 09:29 AM - last edited on 07-05-2023 05:33 AM by Translator
But the way I see it the
SDM
thing is more switch related the router related.
06-27-2023 10:26 AM
If you can simplify your network'I see link then link divide into two one to cloud and other to FW.
Can you simplify.
Thanks
06-27-2023 10:43 AM - last edited on 07-05-2023 05:38 AM by Translator
The cloud is actually the interface on my computer which allow communication between vmware workstation environment (where GNS3 runs) and the physical firewall (the
gateway
to internet).
The router, the physical computer and the physical firewall are in the same
network, 192.168.1.0/24
The router (in GNS3) has other networks behind it.
Maybe the lab should look like this - attached picture.
Best regards and thank you!
06-27-2023 10:42 AM - edited 06-27-2023 10:43 AM
.
06-27-2023 10:52 AM - last edited on 07-05-2023 05:43 AM by Translator
You use route leaking
via bgp
in router
route-target BOTH 100:100
route-target import 99:99
<<- this need to remove or you need to add
Route-target import 99:99
Route-target export 99:99
Instead of using route-target both
After do that check each vrf see if route leaking is work fine or not
06-27-2023 11:07 AM - last edited on 07-05-2023 06:01 AM by Translator
Hello
route leaking does work.
dc01-r-wan-01#show ip route vrf z100_internet_access
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 192.168.1.1 (internet_access), 00:00:04
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/30 is directly connected, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
dc01-r-wan-01#show ip route vrf internet_access
S* 0.0.0.0/0 [1/0] via 192.168.1.1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
B 172.16.1.0/30 is directly connected, 00:00:12, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/0
L 192.168.1.100/32 is directly connected, Ethernet0/0
06-27-2023 12:51 PM - last edited on 07-05-2023 06:13 AM by Translator
so router have two sided
one is
172.16.1.0 vrf Z100
and other connect to outside via 192.168.1.0 which is
vrf internet_access
then you config
NATing
match-in-vrf
you use which I think wrong and here some points why
1-The
Match-in-VRF
Support for
NAT
feature is not supported on interface overload configuration. (some cisco doc. say it support)
2-The
Match-in-VRF
Support for
NAT
feature supports
Network Address Translation (NAT)
of packets that communicate between two hosts within the same
VPN routing and forwarding (VRF)
instance.
so it
intra-VRF not inter-VRF
for
inter-VRF
check link below, it for IOS XE, which I think you use it in your lab
https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555
06-29-2023 12:22 PM
Thank you! I will test it.
Best regards!
07-01-2023 02:06 AM
I have found this solution here which works fin.
https://community.cisco.com/t5/routing/nat-overload-from-vrf-to-global/td-p/3389728
Thank you all for your support in this matter.
Best regards!
07-01-2023 02:09 AM
Friend
you are so welcome
have a nice weekend
MHM
07-01-2023 04:09 AM
Thank you!
I whish you a nice weekend too!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide