VASI and NAT

sridcloud · ‎08-02-2023

I am trying to follow the static NAT example from https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html.

After setting up, i am trying to ping 172.16.1.2 and it fails. Debugging this problem I found that the issue is with the ARP not able to find who has 172.16.1.5 on the interface between sydney and bombay.

Configuration on sanjose:

interface GigabitEthernet1

ip address 192.168.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

On Sydney:

interface GigabitEthernet1

ip address 172.16.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.1.2

on Bombay:

vrf definition VRF_LEFT

rd 1:1

!

address-family ipv4

exit-address-family

!

vrf definition VRF_RIGHT

rd 2:2

!

address-family ipv4

exit-address-family

!

interface GigabitEthernet1

vrf forwarding VRF_LEFT

ip address 192.168.1.2 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

vrf forwarding VRF_RIGHT

ip address 172.16.1.2 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface vasileft1

vrf forwarding VRF_LEFT

ip address 10.1.1.1 255.255.255.252

no keepalive

!

interface vasiright1

vrf forwarding VRF_RIGHT

ip address 10.1.1.2 255.255.255.252

ip nat inside

no keepalive

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT

ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2

ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1

From Bombay i can ping 172.16.1.2

Router#ping vrf VRF_RIGHT 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#

But from Sanjose to Sydney, it is not working

Router#ping 172.6.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.6.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Router#

Placed wireshark on line between Bombay and Sydney, i see the request going in with source ip as 172.6.1.5 (NATTED successfully) and destination 172.16.1.1 but no response. Enabled ARP filtering on wireshark, i see a ARP request going out (who has 172.16.1.5 Tell 172.16.1.1) and no response back.

What is wrong?

sridcloud · ‎08-02-2023

From Sydney I am able to ping San Jose.

Router#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

Router#

In wireshark on the interface between bombay and sydney, i see the request goes out with source ip as 172.16.1.1 and destination 192.168.1.1 but in the reply, the source is 172.16.1.5 and destination 172.16.1.1.

in the wireshark on the interface between sanjose and bombay, the request is with source ip 172.16.1.1 and destination 192.168.1.1 and the reverse in the reply - source ip 192.168.1.1 and destination 172.16.1.1

Did I setup the NAT the otherway round - from Sydney to Sanjose by following this tutorial?

sridcloud · ‎09-17-2023

Any updates anyone?

MHM Cisco World · ‎09-17-2023

I am here now' I will check your config and network and reply.

Thanks

MHM

sridcloud · ‎09-17-2023

No, it is still a problem. on the interface between Bombay and Sydney I see a time-to-live exceeded message. Here are my latest configs :

San Jose:

Router#show run

Building configuration...

Current configuration : 6035 bytes

!

! Last configuration change at 23:12:14 UTC Sun Sep 17 2023

!

version 17.3

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

platform console serial

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1068413895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1068413895

revocation-check none

rsakeypair TP-self-signed-1068413895

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki certificate chain TP-self-signed-1068413895

certificate self-signed 01

30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303638 34313338 3935301E 170D3233 30393137 32323534

32355A17 0D333330 39313632 32353432 355A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30363834

31333839 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

0A028201 010094C1 2FE68206 D999944B 5378D903 FF760D59 3AFE9169 7E9ABF1E

3DB10C77 EE2B8711 E7C52E05 C32A6C49 C7CA3085 9BA21381 C6339C02 8DF262D7

8883E846 A3959F98 A9D8B275 80763E72 F0B162DB 2BCD495A 3770CEBF FEDDD020

EE75B86D 0CF93D0C 6B1229DD 9135BBE3 919F3F39 5B72DE6F 675E61FF B6DC77C0

F8F3E820 7C75EB74 F5EF995A A3433AFB BD57A5D1 A48E7C29 FA42C7AB 80E22D07

B115EF6C 7C45B3DA B87D91D3 B703DCBA FA940596 0ABDA026 74F41ECC 8B009BB9

C3FACBBC 1004CE5B C6CC57CD 5EEE833A 1D7849A2 9D4796A2 2964F21F 506CC7CA

BCC0CEC9 59B7465E 8502AD28 18A8449A 2CB0074C 85E94766 6B25A9B5 F924FD6B

CC41B3E1 F08B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

301F0603 551D2304 18301680 14ED71A5 2F7428C6 CADC3455 64A7DDCA DFB01318

8F301D06 03551D0E 04160414 ED71A52F 7428C6CA DC345564 A7DDCADF B013188F

300D0609 2A864886 F70D0101 05050003 82010100 15E9FBFF 308DB5ED 426FFF75

DFC4BC68 D1A6218A 90EB64CF B2CC36A2 B9B27D6B 522269F4 443A64CE 29531F95

AA8BBA62 B8826C8C 966B09C1 11167E9B EA1C695C C6D1C0CC 5D3F1887 CDD0EEBC

45885417 2691F165 C8A87523 B303745B CD03E374 3E395129 0CCAF7F0 3E94CF79

2569DA0B 1E34095D 0219EF75 74BEFE78 7A66F945 3FDAEEE0 9973B0D4 0AA0DE3D

AAB953A5 3162F17F EF61701B 67E40984 680A961E 260E4E12 570B2DFE 666DB448

9663A558 5BD78799 E98396F8 4D4CFF67 2D2329B6 42FF33B1 6313D234 882E5A38

ACD65C13 EF068144 6C9C13F5 57EF03B4 A3ADFECE 9E7D4005 952C75DC 34AA7B71

5EC5D6F9 04A18F43 0896B9A9 AB53BBC0 F607C930

quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

D697DF7F 28

quit

!

license udi pid CSR1000V sn 94TZ0QRX7SY

diagnostic bootup level minimal

memory free low-watermark processor 71507

!

spanning-tree extend system-id

!

redundancy

!

interface GigabitEthernet1

ip address 192.168.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

control-plane

!

line con 0

stopbits 1

line vty 0 4

login

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

!

end

Router#

Sydney

Router#show run

Building configuration...

Current configuration : 6033 bytes

!

! Last configuration change at 23:07:05 UTC Sun Sep 17 2023

!

version 17.3

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

platform console serial

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1371205190

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1371205190

revocation-check none

rsakeypair TP-self-signed-1371205190

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki certificate chain TP-self-signed-1371205190

certificate self-signed 01

30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31333731 32303531 3930301E 170D3233 30393137 32323536

30355A17 0D333330 39313632 32353630 355A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33373132

30353139 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

0A028201 0100B581 94E613E2 2D07F003 9688118B 53993D0A 12E911D0 2A188CAC

1F587DA4 F7C84BBE AB193DF4 357DF2AC E2CDFFB8 32F2D2C5 5B74E8CA 3D040A9C

2C991A3B A4AE173F F93BE22A 901636A2 8A5E7F49 7C040C2F 177F0CCB 23EC5DA9

415992E3 4FED495E 8DC750DA F07A32E1 E5E6ADD9 833A7A36 364B794C E3168949

34AC2580 9EE34AAD 4EEE82C4 5390BB85 ABB09C39 350E88A8 4029480C DD7BAC64

4D4F9E83 E06463AE 9AE32066 8A40E51B 21F4F739 DAB0FB52 B3C891F5 69414CDB

737752BC FF8DE7A9 89870419 5F015A85 40EB0C73 57256C3C C3CD9F1C 17A2C1B7

729EDD78 FADD2C76 8208E58F CDA00419 B15985FB 22B11EC6 7B78BCCB 65220C6E

F9C68793 A6E10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

301F0603 551D2304 18301680 14DD0E54 E65494B6 20E933BE AB80FA10 CD134EAC

59301D06 03551D0E 04160414 DD0E54E6 5494B620 E933BEAB 80FA10CD 134EAC59

300D0609 2A864886 F70D0101 05050003 82010100 A4D49001 0D5E7A58 839D5B62

06D08BF3 7C532E23 5A0D7A2A F1042E3B AA99744B BDCBC44E 2FA7B7A6 ACDE9194

55ED4E27 E12B6047 9D20B415 0B27041D 6AC09884 ADFA2FB9 0AF02ECF E5AC4713

3A6A46A2 8B7A152B C24595CA BC57912C 4F0D67FA E2D5812C 79070446 E6D29839

10936A97 3C492C18 5199148C E6508F27 E8588DBA DDE6F8A8 D38FD277 CCF1C2DB

F2DCA789 0DB4E7AC 12F122D2 AE7ADE28 B8E9BA82 8C7FFF79 DC444313 74824AB4

AC9DBB76 7045AC39 38E1DC8A 0A6296B6 CE056D67 F303A499 63163D6C D4A9EA0A

DF69F450 BCE1F0BD C2FE7188 FF6DD58F E56C3BE4 C59391F3 BEA76E11 15678AC2

B14FE2E3 C566DBF0 13D2B943 0A4CBA68 CE27875A