Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2670
Views
1
Helpful
19
Replies

VASI and NAT

sridcloud
Level 1
Level 1

‎08-02-2023 07:22 PM

I am trying to follow the static NAT example from https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html.

After setting up, i am trying to ping 172.16.1.2 and it fails. Debugging this problem I found that the issue is with the ARP not able to find who has 172.16.1.5 on the interface between sydney and bombay.

Configuration on sanjose:

interface GigabitEthernet1

ip address 192.168.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

 

On Sydney:

interface GigabitEthernet1

ip address 172.16.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.1.2

 

on Bombay:

vrf definition VRF_LEFT

rd 1:1

!

address-family ipv4

exit-address-family

!

vrf definition VRF_RIGHT

rd 2:2

!

address-family ipv4

exit-address-family

!

interface GigabitEthernet1

vrf forwarding VRF_LEFT

ip address 192.168.1.2 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

vrf forwarding VRF_RIGHT

ip address 172.16.1.2 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!         

interface vasileft1

vrf forwarding VRF_LEFT

ip address 10.1.1.1 255.255.255.252

no keepalive

!

interface vasiright1

vrf forwarding VRF_RIGHT

ip address 10.1.1.2 255.255.255.252

ip nat inside

no keepalive

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT

ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2

ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1

 

From Bombay i can ping 172.16.1.2

Router#ping vrf VRF_RIGHT 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#

But from Sanjose to Sydney, it is not working

Router#ping 172.6.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.6.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Router#

Placed wireshark on line between Bombay and Sydney, i see the request going in with source ip as 172.6.1.5 (NATTED successfully) and destination 172.16.1.1 but no response. Enabled ARP filtering on wireshark, i see a ARP request going out (who has 172.16.1.5 Tell 172.16.1.1) and no response back.

What is wrong?

Labels:
0 Helpful
19 Replies 19

sridcloud
Level 1
Level 1

‎08-02-2023 07:57 PM

From Sydney I am able to ping San Jose. 

Router#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

Router#

In wireshark on the interface between bombay and sydney, i see the request goes out with source ip as 172.16.1.1 and destination  192.168.1.1 but in the reply, the source is 172.16.1.5 and destination 172.16.1.1. 

in the wireshark on the interface between sanjose and bombay, the request is with source ip 172.16.1.1 and destination 192.168.1.1 and the reverse in the reply - source ip 192.168.1.1 and destination 172.16.1.1

Did I setup the NAT the otherway round - from Sydney to Sanjose by following this tutorial?

0 Helpful

sridcloud
Level 1
Level 1

‎09-17-2023 05:49 AM

Any updates anyone?

0 Helpful

MHM Cisco World
VIP
VIP
In response to sridcloud

‎09-17-2023 06:49 AM

I am here now' I will check your config and network and reply.

Thanks 

MHM

0 Helpful

sridcloud
Level 1
Level 1

‎09-17-2023 05:42 PM

No, it is still a problem. on the interface between Bombay and Sydney I see a time-to-live exceeded message.  Here are my latest configs : 

San Jose:

Router#show run

Building configuration...

 

Current configuration : 6035 bytes

!

! Last configuration change at 23:12:14 UTC Sun Sep 17 2023

!

version 17.3

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

platform console serial

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

!         

!

!

!

!

!

!

!

!

login on-success log

!

!

!

!

!

!

!

subscriber templating

!

!

!

!

!

!         

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1068413895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1068413895

revocation-check none

rsakeypair TP-self-signed-1068413895

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-1068413895

certificate self-signed 01

  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303638 34313338 3935301E 170D3233 30393137 32323534

  32355A17 0D333330 39313632 32353432 355A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30363834

  31333839 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

  0A028201 010094C1 2FE68206 D999944B 5378D903 FF760D59 3AFE9169 7E9ABF1E

  3DB10C77 EE2B8711 E7C52E05 C32A6C49 C7CA3085 9BA21381 C6339C02 8DF262D7

  8883E846 A3959F98 A9D8B275 80763E72 F0B162DB 2BCD495A 3770CEBF FEDDD020

  EE75B86D 0CF93D0C 6B1229DD 9135BBE3 919F3F39 5B72DE6F 675E61FF B6DC77C0

  F8F3E820 7C75EB74 F5EF995A A3433AFB BD57A5D1 A48E7C29 FA42C7AB 80E22D07

  B115EF6C 7C45B3DA B87D91D3 B703DCBA FA940596 0ABDA026 74F41ECC 8B009BB9

  C3FACBBC 1004CE5B C6CC57CD 5EEE833A 1D7849A2 9D4796A2 2964F21F 506CC7CA

  BCC0CEC9 59B7465E 8502AD28 18A8449A 2CB0074C 85E94766 6B25A9B5 F924FD6B

  CC41B3E1 F08B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

  301F0603 551D2304 18301680 14ED71A5 2F7428C6 CADC3455 64A7DDCA DFB01318

  8F301D06 03551D0E 04160414 ED71A52F 7428C6CA DC345564 A7DDCADF B013188F

  300D0609 2A864886 F70D0101 05050003 82010100 15E9FBFF 308DB5ED 426FFF75

  DFC4BC68 D1A6218A 90EB64CF B2CC36A2 B9B27D6B 522269F4 443A64CE 29531F95

  AA8BBA62 B8826C8C 966B09C1 11167E9B EA1C695C C6D1C0CC 5D3F1887 CDD0EEBC

  45885417 2691F165 C8A87523 B303745B CD03E374 3E395129 0CCAF7F0 3E94CF79

  2569DA0B 1E34095D 0219EF75 74BEFE78 7A66F945 3FDAEEE0 9973B0D4 0AA0DE3D

  AAB953A5 3162F17F EF61701B 67E40984 680A961E 260E4E12 570B2DFE 666DB448

  9663A558 5BD78799 E98396F8 4D4CFF67 2D2329B6 42FF33B1 6313D234 882E5A38

  ACD65C13 EF068144 6C9C13F5 57EF03B4 A3ADFECE 9E7D4005 952C75DC 34AA7B71

  5EC5D6F9 04A18F43 0896B9A9 AB53BBC0 F607C930

  quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

  D697DF7F 28

  quit

!

license udi pid CSR1000V sn 94TZ0QRX7SY

diagnostic bootup level minimal

memory free low-watermark processor 71507

!

!

spanning-tree extend system-id

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!         

!

!

!

!

!

interface GigabitEthernet1

ip address 192.168.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

login

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

  active

  destination transport-method http

!

!         

!

!

!

end

 

Router#

 

Sydney 

Router#show run

Building configuration...

 

Current configuration : 6033 bytes

!

! Last configuration change at 23:07:05 UTC Sun Sep 17 2023

!

version 17.3

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

platform console serial

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

!         

!

!

!

!

!

!

!

!

login on-success log

!

!

!

!

!

!

!

subscriber templating

!

!

!

!

!

!         

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1371205190

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1371205190

revocation-check none

rsakeypair TP-self-signed-1371205190

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-1371205190

certificate self-signed 01

  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333731 32303531 3930301E 170D3233 30393137 32323536

  30355A17 0D333330 39313632 32353630 355A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33373132

  30353139 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201

  0A028201 0100B581 94E613E2 2D07F003 9688118B 53993D0A 12E911D0 2A188CAC

  1F587DA4 F7C84BBE AB193DF4 357DF2AC E2CDFFB8 32F2D2C5 5B74E8CA 3D040A9C

  2C991A3B A4AE173F F93BE22A 901636A2 8A5E7F49 7C040C2F 177F0CCB 23EC5DA9

  415992E3 4FED495E 8DC750DA F07A32E1 E5E6ADD9 833A7A36 364B794C E3168949

  34AC2580 9EE34AAD 4EEE82C4 5390BB85 ABB09C39 350E88A8 4029480C DD7BAC64

  4D4F9E83 E06463AE 9AE32066 8A40E51B 21F4F739 DAB0FB52 B3C891F5 69414CDB

  737752BC FF8DE7A9 89870419 5F015A85 40EB0C73 57256C3C C3CD9F1C 17A2C1B7

  729EDD78 FADD2C76 8208E58F CDA00419 B15985FB 22B11EC6 7B78BCCB 65220C6E

  F9C68793 A6E10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF

  301F0603 551D2304 18301680 14DD0E54 E65494B6 20E933BE AB80FA10 CD134EAC

  59301D06 03551D0E 04160414 DD0E54E6 5494B620 E933BEAB 80FA10CD 134EAC59

  300D0609 2A864886 F70D0101 05050003 82010100 A4D49001 0D5E7A58 839D5B62

  06D08BF3 7C532E23 5A0D7A2A F1042E3B AA99744B BDCBC44E 2FA7B7A6 ACDE9194

  55ED4E27 E12B6047 9D20B415 0B27041D 6AC09884 ADFA2FB9 0AF02ECF E5AC4713

  3A6A46A2 8B7A152B C24595CA BC57912C 4F0D67FA E2D5812C 79070446 E6D29839

  10936A97 3C492C18 5199148C E6508F27 E8588DBA DDE6F8A8 D38FD277 CCF1C2DB

  F2DCA789 0DB4E7AC 12F122D2 AE7ADE28 B8E9BA82 8C7FFF79 DC444313 74824AB4

  AC9DBB76 7045AC39 38E1DC8A 0A6296B6 CE056D67 F303A499 63163D6C D4A9EA0A

  DF69F450 BCE1F0BD C2FE7188 FF6DD58F E56C3BE4 C59391F3 BEA76E11 15678AC2

  B14FE2E3 C566DBF0 13D2B943 0A4CBA68 CE27875A

  quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

  D697DF7F 28

  quit

!

license udi pid CSR1000V sn 9UD09ZHXIOX

diagnostic bootup level minimal

memory free low-watermark processor 71507

!

!

spanning-tree extend system-id

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!         

!

!

!

!

!

interface GigabitEthernet1

ip address 172.16.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.1.2

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

login

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

  active

  destination transport-method http

!

!         

!

!

!

end

 

Router#

 

Bombay:

 

Router#show run

Building configuration...

 

Current configuration : 6700 bytes

!

! Last configuration change at 00:41:57 UTC Mon Sep 18 2023

!

version 17.3

service timestamps debug datetime msec

service timestamps log datetime msec

! Call-home is enabled by Smart-Licensing.

service call-home

platform qfp utilization monitor load 80

platform punt-keepalive disable-kernel-core

platform console serial

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

vrf definition VRF_LEFT

rd 1:1

!

address-family ipv4

exit-address-family

!

vrf definition VRF_RIGHT

rd 2:2

!

address-family ipv4

exit-address-family

!

!

no aaa new-model

!

!

!

!

!

!

!

!

!

!

login on-success log

!

!         

!

!

!

!

!

subscriber templating

!

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!         

!

!

!

!

!

crypto pki trustpoint TP-self-signed-701350170

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-701350170

revocation-check none

rsakeypair TP-self-signed-701350170

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-701350170

certificate self-signed 01

  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 37303133 35303137 30301E17 0D323330 39313732 32353735

  345A170D 33333039 31363232 35373534 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 31333530

  31373030 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02

  82010100 832A7781 384947B3 CAAEF9FA AAB75410 0EC0C48E 89DA3187 107E1D08

  54A0D574 C32E1B6A DE198814 1CCAF62F 6D941C3E FF231438 4063A45D 62A5C522

  7E636E70 8A0D8F91 BA6B13E2 E7EDC912 8BEE04CE CA7FC229 C0EBE26E FF0B5380

  2C1C99BC F5B0F6A7 88DB7F39 FF1098C7 61B890FC 2A716AF9 677F96B3 30A5AFFD

  426A1960 816B574E 8891C9F1 13D68E4B 1222ABE0 C88C7EE3 DC2A999B 418760DC

  36104D45 71F35F1A 63034BB2 2E78C8AA 036C2BF4 D5A56BC7 235BAAA5 FC77529B

  D2C0401C BA915B5F 788EB7DA 90E397DC 2B356C7C 9E861FB7 043A7AF0 6D4832FB

  773643BD CCE5B386 98C46ABE 13ABAEC5 BA73B567 CD7F45AB 43E5DADF A44FB772

  C2C6EB55 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F

  0603551D 23041830 168014C7 E8096FC8 B41593C5 EA3A6FA3 1CFAED22 DFD66E30

  1D060355 1D0E0416 0414C7E8 096FC8B4 1593C5EA 3A6FA31C FAED22DF D66E300D

  06092A86 4886F70D 01010505 00038201 01000976 A0319BD1 27E448A3 28B4FD61

  BE570F43 1815F1C3 87400EAE ED5647AF 8BF806DF 4A0BF434 7C01AE41 1D5600E5

  F7EE8870 035D7532 4B59C5F2 C824D57A 18D5050E BD85A7E5 1BDD28A2 4A6E99F1

  28AD4718 0747E527 92E73360 3DBA510D 38790E18 AAEC3D80 516DC01C 8712F601

  867893D1 4AC28CC3 62D4B0C0 62094173 947ACD43 8C5575DF 82B2A46D 2CDAD2BE

  76415D31 91BC63C1 8F2A4A9D B9B268B7 AA472862 34811C9B E1AEBFBE 07F1C77C

  BE3F9614 34B31B81 5AA960A1 BB9918C7 0926C308 78A54C4D 53E2333A ABD8270E

  1314ED7C CCADAC31 49DF78D0 D799D829 8100F542 775F2323 A7A4BAC1 311EF541

  E1337DE6 4226C879 E67744A2 86B4F587 581E

  quit

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934

  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305

  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720

  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030

  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D

  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520

  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE

  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC

  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188

  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191

  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44

  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201

  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85

  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500

  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905

  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B

  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8

  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C

  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B

  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678

  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB

  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

  D697DF7F 28

  quit

!

license udi pid CSR1000V sn 9JMFMZDRREX

diagnostic bootup level minimal

memory free low-watermark processor 71507

!

!

spanning-tree extend system-id

!

!

redundancy

!

!

!

!

!

!

!

!         

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface GigabitEthernet1

vrf forwarding VRF_LEFT

ip address 192.168.1.2 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

vrf forwarding VRF_RIGHT

ip address 172.16.1.2 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!         

interface vasileft1

vrf forwarding VRF_LEFT

ip address 10.1.1.1 255.255.255.252

no keepalive

!

interface vasiright1

vrf forwarding VRF_RIGHT

ip address 10.1.1.2 255.255.255.252

ip nat inside

no keepalive

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT

ip route vrf VRF_LEFT 0.0.0.0 0.0.0.0 vasileft1 10.1.1.2

ip route vrf VRF_RIGHT 0.0.0.0 0.0.0.0 GigabitEthernet2 172.16.1.1

ip route vrf VRF_RIGHT 172.16.1.5 255.255.255.255 vasiright1 10.1.1.1

!

!

!         

!

!

!

!

control-plane

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

login

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

  active

  destination transport-method http

!

!

!

!

!

end

 

Router#

0 Helpful

paul driver
VIP
VIP

‎09-18-2023 03:02 AM

Hello

@sridcloud wrote:

No, it is still a problem. on the interface between Bombay and Sydney I see a time-to-live exceeded message. Here are my latest configs :

I see now you have the incorrect static route

no ip route vrf VRF_RIGHT 172.16.1.5 255.255.255.255 vasiright1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.1.0 255.255.255.255 vasiright1 10.1.1.1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

westereshbaughson24
Level 1
Level 1

‎09-18-2023 04:10 AM - edited ‎09-18-2023 04:11 AM

It looks like there might be a typo in the IP address you're trying to ping from Sanjose to Sydney. You have "ping 172.6.1.1," but it should be "ping 172.16.1.1" to match the IP address of the Sydney interface.

Try the following command:

arduinoCopy code
Router# ping 172.16.1.1

If you still encounter issues after correcting the IP address, please provide more details dimension  about the network topology and configurations so that I can assist you further in troubleshooting the problem.

 
0 Helpful

sridcloud
Level 1
Level 1

‎09-18-2023 12:09 PM - edited ‎09-18-2023 12:16 PM

Still seeing the problem. On the link between Bombay and Sydney, i see 172.16.1.1 to 192.168.1.1 repeated and finally get time-to-live exceeded packet from 172.16.1.2 to 172.16.1.1. @westereshbaughson24 

Preview file
7 KB
Preview file
7 KB
Preview file
7 KB
0 Helpful

paul driver
VIP
VIP

‎09-18-2023 12:31 PM

Hello

You STILL have the static route incorrect, and that was my mistake it was a typo so apologies

no ip route vrf VRF_RIGHT 192.168.1.0 255.255.255.255 vasiright1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.1.0 255.255.255.0 vasiright1 10.1.1.1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

sridcloud
Level 1
Level 1

‎09-18-2023 01:41 PM

Finally! it is all working fine, the IP 192.168.1.1 is getting translated to 172.16.1.5. 

0 Helpful

sridcloud
Level 1
Level 1

‎09-18-2023 01:44 PM

Thanks @paul driver for your patience and help and @westereshbaughson24 and @MHM Cisco World for all your help.

0 Helpful

sridcloud
Level 1
Level 1

‎09-18-2023 05:50 PM

Sorry to bug, this config stopped working after few hours... 

Preview file
7 KB
0 Helpful

sridcloud
Level 1
Level 1

‎09-19-2023 07:45 AM

Yes. i am using the GNS3. Whats happening is, the sydney is trying ARP to get data for 172.16.1.5 and is not getting any response. So, when SanJose pings sydney, sydney is getting the request using NATed ip 172.16.1.5 but not able to respond back.

0 Helpful

sridcloud
Level 1
Level 1

‎09-20-2023 05:06 PM

Same ARP problem on the CML as well. The NAT is setup with out 'no-alias' option, so why is bombay not making an ARP entry for the NAT ip address 172.16.1.5 ? Sydney is not able to get the ARP response for 172.16.1.5 from Bombay. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to sridcloud

‎09-20-2023 11:34 PM - edited ‎09-21-2023 01:28 AM

ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2

ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1

Then add two static NAT one for each direction then try ping.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card