Re: Routing global routing to VRF in NAT rules

piwale7827 · ‎11-15-2023

Hi there!

So i recently got a new task regarding our new CISCO ISR4331 IOS-XE.

My Router is built in a way that it has 2 interfaces,

1. GigabitEthernet0/0/0 - WAN Interface which uses the global routing table.

2. GigabitEthernet0 - (MGMT) LAN Interface which uses the default VRF called Mgmt-Intf

The Second interface is connected to my private network and it has the IP of 192.168.100.200,

I need to be able to Port forward using NAT rules and Routes a port from my WAN interface with a public IP and a specific port to port 80 to some other IP on my LAN - 192.168.100.10.

Ofcourse i tried some stuff like:

ip nat inside source static tcp 192.168.100.10 80 X.X.X.X 4848 extendable

Which didnt work when i tried to connect to X.X.X.X on port 4848... after some debugging i noticed that it didnt have a route to the VRF interface (i understand that if an interface is in VRF then the router does'nt actually know its there and it must have a route) so i added one this way:

ip route 192.168.100.0 255.255.255.0 GigabitEthernet0

Where Gig0 is the interface that is in the VRF, also tried with the actual IP of the interface but to no avail...

Do you guys have any idea what is happening here?

Other than that, the cisco is pretty much in "default configuration" it does'nt have any special ACL's or something.

Latest Update:

Looks like after some digging the problem is not related to VRF or anything like that, more on that topic here.

Every help is appreciated!

Thank you for your help in advance!

balaji.bandi · ‎11-15-2023

Can you post complete config removing the confidential information and routing table information.

also i suggest below example help you :

https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

piwale7827 · ‎11-15-2023

Sure, sorry didnt think it was needed

for the global routing table:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0
      208.125.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        208.125.60.212/30 is directly connected, GigabitEthernet0/0/0
L        208.125.60.213/32 is directly connected, GigabitEthernet0/0/0

and the Mgmt-intf VRF

Gateway of last resort is not set
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/24 is directly connected, GigabitEthernet0
L        192.168.100.200/32 is directly connected, GigabitEthernet0

thank you and sorry for the miss information!

piwale7827 · ‎11-15-2023

In this case, the end goal is to be able to forward a port from 208.125.60.213:4848 to my internal ip 192.168.100.10:80.

thank you.

MHM Cisco World · ‎11-15-2023

We use

Ip vrf mgmt

Rd 1:1

Import ipv4 unicast map nameofroutemap

Export ipv4 unicast map nameofroutemap

Route-target both 1:1

These will make mgmt RIB have prefix of global.

Then after we sure the prefix in RIB we will go to config NAT vrf aware

piwale7827 · ‎11-15-2023

excuse me for my lack of knowledge but can you explain in a bit more detail about the commands?

MHM Cisco World · ‎11-15-2023

I send you message for more info

piwale7827 · ‎11-16-2023

thank will check it out!

MHM Cisco World · ‎11-16-2023

now we solve the leaking here come the issue of NAT in IOS XE
@balaji.bandi shared link which I used as reference and it edit by cisco employer which is the best in security, this link show you

that there is NO NAT from VRF to GLOBAL in IOS XE like IOS
so there is ONE solution from my view
using two VRF instead of using one VRF and global
then using NAT with match VRF.

piwale7827 · ‎11-16-2023

I see....

Well then i will try to add a VRF to my WAN interface and make a simple VRF-Aware NAT rule.

My end goal is to access the MGMT ports (like SSH) from my WAN interface (of course only for my IP).

If you have any other ideas on how i can do that i will be glad to hear!

Update:

Actually after i thought about it for a second, Putting the WAN interface in a VRF will cause a DOS because it wouldn't be able to Route to the ISP IP like it does now right?

Please correct me if im wrong!

MHM Cisco World · ‎11-16-2023

sorry this IOS XE limitation,
other solution (to make your network more secure) try using two VRF and then use VASI to NATing inbetween.

NAT between two different VRFs

Inter VRF communication on IOSXE is supported only through the use of VASI feature. See this document for more details on how to deploy NAT + VASI.

piwale7827 · ‎11-16-2023

What documentation?

Also sorry for being such a newbie

Im kind of a beginner and it seems like a really complicated task, maybe can you share with me a bit more practical examples for doing such thing and configuring a NAT rule that will actually work, again reminding, i need to make the WAN interface Port forward a port from a (specific IP - not necessary for the example) to the MGMT interface to a specific port.. lets say 22.

thank you again for all the help!

MHM Cisco World · ‎11-16-2023

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infrastruct.htmlhttps://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200255-Configure-VRF-Aware-Software-Infras...

And we are all here friends trying to help you.

Check this guide.

piwale7827 · ‎11-16-2023

After seeing some guides online i came up with this solution ill be glad to hear your opinion!

interface vasileft1
vrf forwarding Mgmt-intf
ip address 10.1.1.1 255.255.255.252

interface vasiright1
vrf forwarding VRF_TO_GLOBAL
ip address 10.1.1.2
ip nat inside

ip route vrf Mgmt-intf 91.219.0.0 255.255.0.0 vasileft1 10.1.1.2
ip route vrf VRF_TO_GLOBAL 192.168.100.0 255.255.255.0 vasiright1 10.1.1.1

ip route vrf VRF_TO_GLOBAL 0.0.0.0 0.0.0.0 Dialer1
ip route vrf VRF_TO_GLOBAL 208.125.60.212 255.255.255.252 GigabitEthernet0/0/0

interface Gig0/0/0
vrf forwarding VRF_TO_GLOBAL
ip nat outside

ip nat inside source static 192.168.100.10 80 208.125.60.213 4848 vrf VRF_TO_GLOBAL

where 91.219.0.0/16 is the subnet i'd like to filter incoming packets from!

Waiting for your replies! Thank you once again

Edit:

Please keep in mind that in these 2 routes im trying to not cause a DOS, im trying to make the WAN interface know how to reach the ISP, if someone thinks this is wrong, again, ill be glad to hear!

ip route vrf VRF_TO_GLOBAL 0.0.0.0 0.0.0.0 Dialer1
ip route vrf VRF_TO_GLOBAL 208.125.60.212 255.255.255.252 GigabitEthernet0/0/0

MHM Cisco World · ‎11-17-2023

Hi Friend
sorry for late reply
this example for you how you can config VASI in IOS XE with static NAT and route between VRF

vrf definition VRF_LEFT
 rd 1:1
 !
 address-family ipv4
 exit-address-family

vrf definition VRF_RIGHT
 rd 2:2
 !
 address-family ipv4
 exit-address-family

interface GigabitEthernet0/0/0
  vrf forwarding VRF_LEFT
  ip address 192.168.1.2 255.255.255.0

interface GigabitEthernet0/0/1
 vrf forwarding VRF_RIGHT
 ip address 172.16.1.2 255.255.255.0

interface vasileft1 
vrf forwarding VRF_LEFT 
ip address 10.1.1.1 255.255.255.252 

interface vasiright1 
vrf forwarding VRF_RIGHT 
ip address 10.1.1.2 255.255.255.252

interface vasiright1
 vrf forwarding VRF_RIGHT
 ip address 10.1.1.2 255.255.255.252
 ip nat inside

interface GigabitEthernet0/0/1
 vrf forwarding VRF_RIGHT
 ip address 172.16.1.2 255.255.255.0
 ip nat outside


!--- Static route configuration

ip route vrf VRF_LEFT 172.16.0.0 255.255.0.0 vasileft1 10.1.1.2
ip route vrf VRF_RIGHT 192.168.0.0 255.255.0.0 vasiright1 10.1.1.1


!--- NAT configuration

ip nat inside source static 192.168.1.1 172.16.1.5 vrf VRF_RIGHT