VASI and NAT - Page 2

sridcloud · ‎08-02-2023

I am trying to follow the static NAT example from https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.html.

After setting up, i am trying to ping 172.16.1.2 and it fails. Debugging this problem I found that the issue is with the ARP not able to find who has 172.16.1.5 on the interface between sydney and bombay.

Configuration on sanjose:

interface GigabitEthernet1

ip address 192.168.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

On Sydney:

interface GigabitEthernet1

ip address 172.16.1.1 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.16.1.2

on Bombay:

vrf definition VRF_LEFT

rd 1:1

!

address-family ipv4

exit-address-family

!

vrf definition VRF_RIGHT

rd 2:2

!

address-family ipv4

exit-address-family

!

interface GigabitEthernet1

vrf forwarding VRF_LEFT

ip address 192.168.1.2 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

vrf forwarding VRF_RIGHT

ip address 172.16.1.2 255.255.255.0

ip nat outside

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

shutdown

negotiation auto

no mop enabled

no mop sysid

!

interface vasileft1

vrf forwarding VRF_LEFT

ip address 10.1.1.1 255.255.255.252

no keepalive

!

interface vasiright1

vrf forwarding VRF_RIGHT

ip address 10.1.1.2 255.255.255.252

ip nat inside

no keepalive

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT

ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2

ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1

From Bombay i can ping 172.16.1.2

Router#ping vrf VRF_RIGHT 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router#

But from Sanjose to Sydney, it is not working

Router#ping 172.6.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.6.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Router#

Placed wireshark on line between Bombay and Sydney, i see the request going in with source ip as 172.6.1.5 (NATTED successfully) and destination 172.16.1.1 but no response. Enabled ARP filtering on wireshark, i see a ARP request going out (who has 172.16.1.5 Tell 172.16.1.1) and no response back.

What is wrong?

sridcloud · ‎10-13-2023

@MHM Cisco World I see the same problem with your changes as well. The ARP is not getting setup in the router for the NATed ip address and this prevents the return communication not go through.

MHM Cisco World · ‎10-13-2023

Please share last config you use

paul driver · ‎09-21-2023

Hello

@MHM Cisco World wrote:
ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.2

The above statics are then pointing to their own logical vasi ip address, which is not correct.

@sridcloud if you using static nat then append "match-in-vrf" to that specific nat statement , then test again
ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT match-in-vrf

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sridcloud · ‎10-13-2023

@paul driver I see the same issue with your changes as well. The problem is with the ARP not setup for the return communication.

paul driver · ‎10-13-2023

Hello @sridcloud

I see the same problem with your changes as well. The ARP is not getting setup in the router for the NATed ip address and this prevents the return communication not go through.

Did you appended "match-in-vrf" to that specific nat statement I posted previoulsy? Plus I see now you have the static for your LAN in vasiright incorrect?

Try the following:
no ip route vrf VRF_RIGHT 172.16.1.5 255.255.255.255 vasiright1 10.1.1.1
ip route vrf VRF_RIGHT 192.168.1.0 255.255.255.0 vasiright1 10.1.1.1
ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT match-in-vrf

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul