Solved: router drops return traffic for NAT process

aw75635 · ‎06-26-2023

Hello
I have the following setup in my lab - see configuration further down.
The issue is that I do not get response on

NAT

The idea is to import routes from several VRFs into one common VRF to provide internet connectivity.

Doing a debug on the router, I see

*Jun 26 17:35:14.595: IP: s=172.16.1.2 (Ethernet0/1), d=192.168.1.100, len 84, input feature
*Jun 26 17:35:14.595: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(56), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 26 17:35:14.595: IP: s=172.16.1.2 (Ethernet0/1), d=192.168.1.100, len 84, input feature
*Jun 26 17:35:14.595: ICMP type=8, code=0, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 26 17:35:14.595: FIBipv4-packet-proc: route packet from Ethernet0/1 src 172.16.1.2 dst 192.168.1.100
*Jun 26 17:35:14.595: FIBfwd-proc: z100_internet_access:192.168.1.100/32 receive entry
*Jun 26 17:35:14.595: FIBipv4-packet-proc: packet routing failed
*Jun 26 17:35:14.595: IP: tableid=1, s=172.16.1.2 (Ethernet0/1), d=192.168.1.100 (Ethernet0/0), routed via RIB
*Jun 26 17:35:14.595: NAT: s=172.16.1.2->192.168.1.100, d=192.168.1.100 [52304]


On the firewall I can see the return traffic.
IP Packet Header
IP Type: ICMP(0x1), src=[8.8.8.8], Dst=[192.168.1.100]
ICMP Packet Header
ICMP Type = 0(ECHO_REPLY), ICMP Code = 0, ICMP Checksum = 8257
Value:[0]
Forwarded 1:1)

Here is the configuration on the router
conf t
hostnaeme dc01-r-wan-01


!*************define vrf z100_internet_access for zone Z100
!Z100 is a common zone
vrf definition z100_internet_access
rd 100:100
route-target BOTH 100:100
route-target import 99:99
address-family ipv4
exit
exit

!*************create the vrf internet access
!Z100 is a common zone
vrf definition internet_access
rd 99:99
route-target BOTH 99:99
route-target import 100:100
address-family ipv4
exit
exit

!*************define int eth0/0 - out interface vrf z100_internet_access
int eth0/0
vrf forwarding internet_access
no shut
ip address 192.168.1.100 255.255.255.0
ip nat outside
exit

!*************define int eth0/1 - in interface vrf z100_internet_access
int eth0/1
vrf forwarding z100_internet_access
ip address 172.16.1.1 255.255.255.252
no shut
ip nat inside
exit

ip route vrf internet_access 0.0.0.0 0.0.0.0 192.168.1.1

!*************create bgp for route leaking between VRFs
router bgp 65000
bgp router-id 1.1.1.1
address-family ipv4 vrf z100_internet_access
redistribute connected
!network 172.16.1.0 mask 255.255.255.252
exit

address-family ipv4 vrf internet_access
!no redistribute connected
default-information originate
redistribute static
exit


!*************define ACL for NAT
ip access-list standard ACL-COMMON-INTERNET
permit 172.16.1.0 0.0.0.3
exit

!*************define RM for NAT
route-map RM-COMMON-INTERNET permit 10
match ip address ACL-COMMON-INTERNET

!ip route vrf internet_access 192.168.1.0 255.255.255.0 Null0

!*************define NAT

ip nat pool NAT-COMMON-INTERNET 192.168.1.100 192.168.1.100 prefix-length 30
ip nat inside source route-map RM-COMMON-INTERNET pool NAT-COMMON-INTERNET vrf z100_internet_access match-in-vrf overload

Any tips much appreciated.

Attached picture with the evironment.

Best regards!

aw75635 · ‎07-01-2023

I have found this solution here which works fin.

https://community.cisco.com/t5/routing/nat-overload-from-vrf-to-global/td-p/3389728

Thank you all for your support in this matter.

Best regards!

View solution in original post

marce1000 · ‎06-26-2023

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur70424

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

aw75635 · ‎06-27-2023

Hello Marce, thank you for your reply.

the router I have in GNS3 is not aware of

SDM

command.

Maybe there is another router type I could use in the GNS3 env to avoid this issue?

Best regards!

aw75635 · ‎06-27-2023

But the way I see it the

SDM

thing is more switch related the router related.

MHM Cisco World · ‎06-27-2023

If you can simplify your network'I see link then link divide into two one to cloud and other to FW.

Can you simplify.

Thanks

aw75635 · ‎06-27-2023

The cloud is actually the interface on my computer which allow communication between vmware workstation environment (where GNS3 runs) and the physical firewall (the

gateway

to internet).

The router, the physical computer and the physical firewall are in the same

network, 192.168.1.0/24

The router (in GNS3) has other networks behind it.

Maybe the lab should look like this - attached picture.

Best regards and thank you!

aw75635 · ‎06-27-2023

.

MHM Cisco World · ‎06-27-2023

You use route leaking

via bgp

in router

route-target BOTH 100:100

route-target import 99:99

<<- this need to remove or you need to add

Route-target import 99:99

Route-target export 99:99

Instead of using route-target both

After do that check each vrf see if route leaking is work fine or not

aw75635 · ‎06-27-2023

Hello

route leaking does work.

dc01-r-wan-01#show ip route vrf z100_internet_access

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

B* 0.0.0.0/0 [20/0] via 192.168.1.1 (internet_access), 00:00:04
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.1.0/30 is directly connected, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1


dc01-r-wan-01#show ip route vrf internet_access

S* 0.0.0.0/0 [1/0] via 192.168.1.1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
B 172.16.1.0/30 is directly connected, 00:00:12, Ethernet0/1
L 172.16.1.1/32 is directly connected, Ethernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Ethernet0/0
L 192.168.1.100/32 is directly connected, Ethernet0/0

MHM Cisco World · ‎06-27-2023

so router have two sided
one is

172.16.1.0 vrf Z100

and other connect to outside via 192.168.1.0 which is

vrf internet_access

then you config

NATing

match-in-vrf

you use which I think wrong and here some points why

1-The

Match-in-VRF

Support for

NAT

feature is not supported on interface overload configuration. (some cisco doc. say it support)

2-The

Match-in-VRF

Support for

NAT

feature supports

Network Address Translation (NAT)

of packets that communicate between two hosts within the same

VPN routing and forwarding (VRF)

instance.

so it

intra-VRF not inter-VRF

for

inter-VRF

check link below, it for IOS XE, which I think you use it in your lab
https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555

aw75635 · ‎06-29-2023

Thank you! I will test it.

Best regards!

aw75635 · ‎07-01-2023

I have found this solution here which works fin.

https://community.cisco.com/t5/routing/nat-overload-from-vrf-to-global/td-p/3389728

Thank you all for your support in this matter.

Best regards!

MHM Cisco World · ‎07-01-2023

Friend
you are so welcome
have a nice weekend
MHM

aw75635 · ‎07-01-2023

Thank you!

I whish you a nice weekend too!