cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8536
Views
10
Helpful
5
Replies

Source NAT traffic from global VRF to another VRF

Difan Zhao
Level 5
Level 5

Hi experts,

I am doing an experiment to NAT traffic from global VRF to another VRF (called Internet). Please see my diagram. R1 is a host router with default gateway pointing to R2. R3 is simulating the ISP. Its lo0 with IP 3.3.3.3 is simulating an Internet host. R2 is doing the NAT.

I have tried both the traditional inside and outside NAT as well as the NVI NAT. I can NAT traffic from right to left fine with NVI NAT. However for traffic from left to right it doesn't work for me. Here is my config

vrf definition Internet
 rd 1:1
 route-target export 1:1
 route-target import 1:1
 !
 address-family ipv4
 exit-address-family
!
!
interface Ethernet0/0
 ip address 10.0.12.2 255.255.255.0
 ip nat inside
 ip nat enable
!
interface Ethernet0/1
 vrf forwarding Internet
 ip address 172.16.23.2 255.255.255.0
 ip nat outside
 ip nat enable
!
!
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.23.3
ip route vrf Internet 0.0.0.0 0.0.0.0 172.16.23.3
!
ip nat source static 10.0.12.1 172.16.23.1 vrf Internet
ip nat source list NVI-NAT interface e0/1 vrf Internet overload
!
ip access-list extended NVI-NAT
 permit ip 172.16.23.0 0.0.0.255 any

Now when I ping from R1 to 3.3.3.3 on R3, the R3 still got the un-NAT'ed traffic (from 10.0.12.1 to 3.3.3.3)

Is it possible to do NAT in this direction?

Thanks!

 

1 Accepted Solution

Accepted Solutions

Hi - With first scenario please use the different NAT global IP i.e. 172.16.20.1 instead 172.16.23.1.

The problem is in R3 since you are using 172.16.23.0 /24 subnet to interconnect as well as for static NAT. R3 is not routing traffic back to R2 since he consider 172.16.23.1 is local IP.

So the final working configuration would be -

On R2

ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1

ip nat inside source static 10.0.12.1 172.16.23.1 (No VRF attachment since NAT inside interface is in global database).

On R3

ip route 172.16.20.1 255.255.255.255 172.16.23.2

 

Happy to help.

Please rate if you find this helpful.

View solution in original post

5 Replies 5

Naren K
Level 1
Level 1

Please change the configuration as below -

ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1

---------------------------------------------------------------------------------

For testing I want to try below two command alternatively and check the output -

ip nat inside source static 10.0.12.1 172.16.23.1 - Remove the VRF configuration.

OR

ip nat inside source static 10.0.12.1 172.16.23.1 vrf Internet

----------------------------------------------------------------------------------

The static NAT you have configured in VRF internet. I want to see the source traffic hitting to the Nat statement and if its then want to ensure return traffic for source in VRF internet routing table.

If above doesn’t help then please share vice-versa trace route, NAT debug output and status of the NAT translation when you initiate the traffic.

 

Happy to help

Rate if you find it’s helpful.

 

Hey Naren thanks for the response. With the first command you provided

--- R2 config ---

ip route 0.0.0.0 0.0.0.0 Ethernet0/1 172.16.23.3
ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1
!
ip nat inside source static 10.0.12.1 172.16.23.1

On R1 I am pinging 3.3.3.3. I ran "debug ip icmp" on R1 and R3. I ran "Debug ip nat" and "debug ip nat vrf". Here are the relevant VRF

--- R1 ---

R1#ping 3.3.3.3 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

--- R3 ---

*Sep 12 22:49:31.735: ICMP: echo reply sent, src 3.3.3.3, dst 172.16.23.1, topology BASE, dscp 0 topoid 0

--- R2 ---

*Sep 12 22:49:31.734: NAT: s=10.0.12.1->172.16.23.1, d=3.3.3.3 [1]

So looks like that the R2 NAT'ed it properly. The traffic did reach R3 and R3 sent back the response. However R2 did not NAT the return traffic.

So now I changed the NAT to contain the VRF

--- R2 config ---

ip nat inside source static 10.0.12.1 172.16.23.1 vrf Internet

Then I pinged on R1 to 3.3.3.3

R1#ping 3.3.3.3 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

 

--- R3 ---

*Sep 12 22:57:16.592: ICMP: echo reply sent, src 3.3.3.3, dst 10.0.12.1, topology BASE, dscp 0 topoid 0

On R2 there is no output.

It looks like that with the NAT config containing the VRF, it only NATs the traffic coming in on the VRF. Is it correct? 

The traceroute on R1 is just reaching the R2 then no response afterwards

R1#traceroute 3.3.3.3 timeout 1 probe 1 numeric
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.12.2 2 msec
  2  *
  3
*Sep 12 22:51:46.821: ICMP: time exceeded rcvd from 10.0.12.2 *
  4  *
  5  *
  6  *
  7

Thanks!

Difan

 

 

 

 

 

 

 

Hi - With first scenario please use the different NAT global IP i.e. 172.16.20.1 instead 172.16.23.1.

The problem is in R3 since you are using 172.16.23.0 /24 subnet to interconnect as well as for static NAT. R3 is not routing traffic back to R2 since he consider 172.16.23.1 is local IP.

So the final working configuration would be -

On R2

ip route vrf Internet 10.0.12.0 255.255.255.0 Ethernet0/0 10.0.12.1

ip nat inside source static 10.0.12.1 172.16.23.1 (No VRF attachment since NAT inside interface is in global database).

On R3

ip route 172.16.20.1 255.255.255.255 172.16.23.2

 

Happy to help.

Please rate if you find this helpful.

Hey sorry for the late response Naren.. Yup it works great now! You definitely pointed me to the right direction. I also tried by adding a static ARP entry on R3 for 172.16.23.1 and it also worked. Of course in my real life scenario R3 is provider router so I can't touch. So I found out that by creating 172.16.23.1 as a secondary IP on the R2, it also works well :) Anyway I believe that my problem is resolved. Thanks again!

Hello Naren,

I also have a similar kind of setup where my WAN interface is in VRF mode and LAN is in global configuration mode i have done the inter vrf routing and trace from LAN to internet IP works fine.

But when i initiate the below command from the router

router# telnet <to ip address on the internet> 80 /source interface lan

the port does not open 

also ping does not work

any pointers..

Regards

Ranjit

Review Cisco Networking for a $25 gift card