09-11-2014 12:32 PM - edited 03-04-2019 11:44 PM
Hi experts,
I am doing an experiment to NAT traffic from global VRF to another VRF (called Internet). Please see my diagram. R1 is a host router with default gateway pointing to R2. R3 is simulating the ISP. Its lo0 with IP 3.3.3.3 is simulating an Internet host. R2 is doing the NAT.
I have tried both the traditional inside and outside NAT as well as the NVI NAT. I can NAT traffic from right to left fine with NVI NAT. However for traffic from left to right it doesn't work for me. Here is my config
vrf definition Internet
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
exit-address-family
!
!
interface Ethernet0/0
ip address 10.0.12.2 255.255.255.0
ip nat inside
ip nat enable
!
interface Ethernet0/1
vrf forwarding Internet
ip address 172.16.23.2 255.255.255.0
ip nat outside
ip nat enable
!
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.23.3
ip route vrf Internet 0.0.0.0 0.0.0.0 172.16.23.3
!
ip nat source static 10.0.12.1 172.16.23.1 vrf Internet
ip nat source list NVI-NAT interface e0/1 vrf Internet overload
!
ip access-list extended NVI-NAT
permit ip 172.16.23.0 0.0.0.255 any
Now when I ping from R1 to 3.3.3.3 on R3, the R3 still got the un-NAT'ed traffic (from 10.0.12.1 to 3.3.3.3)
Is it possible to do NAT in this direction?
Thanks!
Solved! Go to Solution.
09-14-2014 11:05 PM
Hi - With first scenario please use the different NAT global IP i.e. 172.16.20.1 instead 172.16.23.1.
The problem is in R3 since you are using 172.16.23.0 /24 subnet to interconnect as well as for static NAT. R3 is not routing traffic back to R2 since he consider 172.16.23.1 is local IP.
So the final working configuration would be -
On R2
ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1
ip nat inside source static 10.0.12.1 172.16.23.1 (No VRF attachment since NAT inside interface is in global database).
On R3
ip route 172.16.20.1 255.255.255.255 172.16.23.2
Happy to help.
Please rate if you find this helpful.
09-12-2014 12:33 AM
Please change the configuration as below -
ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1
---------------------------------------------------------------------------------
For testing I want to try below two command alternatively and check the output -
ip nat inside source static 10.0.12.1 172.16.23.1 - Remove the VRF configuration.
OR
ip nat inside source static 10.0.12.1 172.16.23.1 vrf Internet
----------------------------------------------------------------------------------
The static NAT you have configured in VRF internet. I want to see the source traffic hitting to the Nat statement and if its then want to ensure return traffic for source in VRF internet routing table.
If above doesn’t help then please share vice-versa trace route, NAT debug output and status of the NAT translation when you initiate the traffic.
Happy to help
Rate if you find it’s helpful.
09-12-2014 04:05 PM
Hey Naren thanks for the response. With the first command you provided
--- R2 config ---
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.23.3
ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1
!
ip nat inside source static 10.0.12.1 172.16.23.1
On R1 I am pinging 3.3.3.3. I ran "debug ip icmp" on R1 and R3. I ran "Debug ip nat" and "debug ip nat vrf". Here are the relevant VRF
--- R1 ---
R1#ping 3.3.3.3 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
--- R3 ---
*Sep 12 22:49:31.735: ICMP: echo reply sent, src 3.3.3.3, dst 172.16.23.1, topology BASE, dscp 0 topoid 0
--- R2 ---
*Sep 12 22:49:31.734: NAT: s=10.0.12.1->172.16.23.1, d=3.3.3.3 [1]
So looks like that the R2 NAT'ed it properly. The traffic did reach R3 and R3 sent back the response. However R2 did not NAT the return traffic.
So now I changed the NAT to contain the VRF
--- R2 config ---
ip nat inside source static 10.0.12.1 172.16.23.1 vrf Internet
Then I pinged on R1 to 3.3.3.3
R1#ping 3.3.3.3 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
--- R3 ---
*Sep 12 22:57:16.592: ICMP: echo reply sent, src 3.3.3.3, dst 10.0.12.1, topology BASE, dscp 0 topoid 0
On R2 there is no output.
It looks like that with the NAT config containing the VRF, it only NATs the traffic coming in on the VRF. Is it correct?
The traceroute on R1 is just reaching the R2 then no response afterwards
R1#traceroute 3.3.3.3 timeout 1 probe 1 numeric
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.12.2 2 msec
2 *
3
*Sep 12 22:51:46.821: ICMP: time exceeded rcvd from 10.0.12.2 *
4 *
5 *
6 *
7
Thanks!
Difan
09-14-2014 11:05 PM
Hi - With first scenario please use the different NAT global IP i.e. 172.16.20.1 instead 172.16.23.1.
The problem is in R3 since you are using 172.16.23.0 /24 subnet to interconnect as well as for static NAT. R3 is not routing traffic back to R2 since he consider 172.16.23.1 is local IP.
So the final working configuration would be -
On R2
ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1
ip nat inside source static 10.0.12.1 172.16.23.1 (No VRF attachment since NAT inside interface is in global database).
On R3
ip route 172.16.20.1 255.255.255.255 172.16.23.2
Happy to help.
Please rate if you find this helpful.
09-22-2014 02:04 PM
Hey sorry for the late response Naren.. Yup it works great now! You definitely pointed me to the right direction. I also tried by adding a static ARP entry on R3 for 172.16.23.1 and it also worked. Of course in my real life scenario R3 is provider router so I can't touch. So I found out that by creating 172.16.23.1 as a secondary IP on the R2, it also works well :) Anyway I believe that my problem is resolved. Thanks again!
06-30-2017 03:12 AM
Hello Naren,
I also have a similar kind of setup where my WAN interface is in VRF mode and LAN is in global configuration mode i have done the inter vrf routing and trace from LAN to internet IP works fine.
But when i initiate the below command from the router
router# telnet <to ip address on the internet> 80 /source interface lan
the port does not open
also ping does not work
any pointers..
Regards
Ranjit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide