08-02-2023 07:22 PM
I am trying to follow the static NAT example from https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html.
After setting up, i am trying to ping 172.16.1.2 and it fails. Debugging this problem I found that the issue is with the ARP not able to find who has 172.16.1.5 on the interface between sydney and bombay.
Configuration on sanjose:
interface GigabitEthernet1
ip address 192.168.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
On Sydney:
interface GigabitEthernet1
ip address 172.16.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
on Bombay:
vrf definition VRF_LEFT
rd 1:1
!
address-family ipv4
exit-address-family
!
vrf definition VRF_RIGHT
rd 2:2
!
address-family ipv4
exit-address-family
!
interface GigabitEthernet1
vrf forwarding VRF_LEFT
ip address 192.168.1.2 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
vrf forwarding VRF_RIGHT
ip address 172.16.1.2 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface vasileft1
vrf forwarding VRF_LEFT
ip address 10.1.1.1 255.255.255.252
no keepalive
!
interface vasiright1
vrf forwarding VRF_RIGHT
ip address 10.1.1.2 255.255.255.252
ip nat inside
no keepalive
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT
ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2
ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1
From Bombay i can ping 172.16.1.2
Router#ping vrf VRF_RIGHT 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#
But from Sanjose to Sydney, it is not working
Router#ping 172.6.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.6.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Router#
Placed wireshark on line between Bombay and Sydney, i see the request going in with source ip as 172.6.1.5 (NATTED successfully) and destination 172.16.1.1 but no response. Enabled ARP filtering on wireshark, i see a ARP request going out (who has 172.16.1.5 Tell 172.16.1.1) and no response back.
What is wrong?
10-13-2023 05:15 AM
@MHM Cisco World I see the same problem with your changes as well. The ARP is not getting setup in the router for the NATed ip address and this prevents the return communication not go through.
10-13-2023 06:51 AM
Please share last config you use
09-21-2023 01:33 AM
Hello
@MHM Cisco World wrote:
ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.2
The above statics are then pointing to their own logical vasi ip address, which is not correct.
@sridcloud if you using static nat then append "match-in-vrf" to that specific nat statement , then test again
ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT match-in-vrf
10-13-2023 05:18 AM
@paul driver I see the same issue with your changes as well. The problem is with the ARP not setup for the return communication.
10-13-2023 06:53 AM
Hello @sridcloud
I see the same problem with your changes as well. The ARP is not getting setup in the router for the NATed ip address and this prevents the return communication not go through.
Did you appended "match-in-vrf" to that specific nat statement I posted previoulsy? Plus I see now you have the static for your LAN in vasiright incorrect?
Try the following:
no ip route vrf VRF_RIGHT 172.16.1.5 255.255.255.255 vasiright1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.1.0 255.255.255.0 vasiright1 10.1.1.1
ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT match-in-vrf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide