Routing global routing to VRF in NAT rules - Page 2

piwale7827 · ‎11-15-2023

Hi there!

So i recently got a new task regarding our new CISCO ISR4331 IOS-XE.

My Router is built in a way that it has 2 interfaces,

1. GigabitEthernet0/0/0 - WAN Interface which uses the global routing table.

2. GigabitEthernet0 - (MGMT) LAN Interface which uses the default VRF called Mgmt-Intf

The Second interface is connected to my private network and it has the IP of 192.168.100.200,

I need to be able to Port forward using NAT rules and Routes a port from my WAN interface with a public IP and a specific port to port 80 to some other IP on my LAN - 192.168.100.10.

Ofcourse i tried some stuff like:

ip nat inside source static tcp 192.168.100.10 80 X.X.X.X 4848 extendable

Which didnt work when i tried to connect to X.X.X.X on port 4848... after some debugging i noticed that it didnt have a route to the VRF interface (i understand that if an interface is in VRF then the router does'nt actually know its there and it must have a route) so i added one this way:

ip route 192.168.100.0 255.255.255.0 GigabitEthernet0

Where Gig0 is the interface that is in the VRF, also tried with the actual IP of the interface but to no avail...

Do you guys have any idea what is happening here?

Other than that, the cisco is pretty much in "default configuration" it does'nt have any special ACL's or something.

Latest Update:

Looks like after some digging the problem is not related to VRF or anything like that, more on that topic here.

Every help is appreciated!

Thank you for your help in advance!

piwale7827 · ‎11-19-2023

First of all this is the closest try i ever had,

I can finally see the NAT rule being used and the packet really does reach the internal server if i change the NAT line to:

ip nat inside source static tcp 192.168.1.3 80 172.16.1.2 45621 vrf VRF_RIGHT

The only problem is that it cant come back, my assumption is because of the reason that the DEST IP of the packet when it reaches the internal server is still 172.16.1.2 interface and never changed to the internal interface's IP which is 192.168.1.2.

Hmmm maybe another NAT rule or something?

MHM Cisco World · ‎11-19-2023

Can I see last config you use ?

piwale7827 · ‎11-19-2023

Yes, also let me add that after applying this config and set a Default gateway on my internal device to be the cisco above it the packet actually did its way back so that means that the problem is indeed what i was saying.

MHM Cisco World · ‎11-19-2023

Your config is correct.

And I hope your issue is solved finally.

MHM

piwale7827 · ‎11-19-2023

Well it is correct for that matter but as i said i still have that tiny problem that the packet that goes to the internal cisco has the source ip of the cisco before the one i configured, i need the nat rule to translate that ip address to 192.168.100.200 in this case, have any idea?

EDIT

i cant use regular nat rule because the internal interface isnt set as IP NAT INSIDE and i cant set it because the VASI one is already set as that

Thank you very much until now you have been very helpfull!

MHM Cisco World · ‎11-19-2023

I get you'

Add other route (vrf aware) to your config as you done before

Then add NAT rule (vrf aware) to your config as you done before

This must solve additional NATing

piwale7827 · ‎11-19-2023

Sorry didnt quite understand you,

As i stated above, this NAT rule redirects every 200.36.145.21:45621 to 192.168.100.10:80

ip nat inside source static tcp 192.168.100.10 80 200.36.145.21 45621 vrf VRF_RIGHT

Now, let me remind you that `GigabitEthernet1` isnt set to `ip nat outside` so regulat NAT rules wont affect this interface.

If you can, please explain in a bit more detail

Thank you!

MHM Cisco World · ‎11-19-2023

What is internal prefix you want to NATing ?

MHM Cisco World · ‎11-19-2023

Note:- NAT to 200.x.x.x not to 192.x.x.x

In end you need to make internal to access Internet.

piwale7827 · ‎11-19-2023

Yes thats the problem,

As i said, if i add 192.168.100.200 as the default gateway for the internal device, everything works fine because the packets knows how to come back.

I need to be able to use the existing route in the internal device (192.168.100.0/24 Is directly connected) to make the packet travel back, the problem is the source IP which the packet holds when it reaches the internal device. (the public IP of the cisco above)

UPDATE:

This line semi-solves the problem, it indeed changes the Source IP of the packet and the internal device knows it needs to send it back to the cisco above it, the problem is that the cisco above it (which we can configure) dont know it needs to return it back to me... idk why

ip nat outside source static MY_PUBLIC_IP 192.168.100.200 vrf VRF_RIGHT

UPDATE 2:

After some digging, let me explain the situation again in clearer words.

with these 2 commands:

ip nat inside source static tcp 192.168.100.10 80 200.36.145.21 45621 vrf VRF_RIGHT
ip nat outside source static MY_PUBLIC_IP 192.168.100.200 vrf VRF_RIGHT

The packet goes to the internal server and its source IP getting NAT'd properly so the internal server can route it back to the cisco on 192.168.100.200 but at this stage the DST IP never getting NAT'd back to my PUBLIC IP... Hope i was clear!

Waiting for your answers!

Thank you guys!

You are really making that easy for me on my new job!

Thank you once again!

piwale7827 · ‎11-20-2023

Oh listen there is something here i left out which is quite important,

The VRF_LEFT in this case is the Mgmt-Intf default VRF and when i try to apply it on the vasi interface i get the error message "% Management interface VRF Mgmt-intf supports one loopback interface only."

piwale7827 · ‎11-15-2023

Also let me add this,

i have ran this command to test if my NAT is working as is, without any VRF involved and it didnt work either

ip nat inside source static tcp 208.125.60.213 80 208.125.60.213 4848 extendable

which suppose to forward everything that comes from the internet at port 4848 to port 80...

and still no hits!

running `sh ip nat translations verbose` shows 0 pckts in and 0 pckts out on the rule

piwale7827 · ‎11-15-2023

after second thought i understand why it isnt working.... because the ip nat inside is not configured for the same interface.. ok!

Kanan Huseynli · ‎11-15-2023

Hi,

you need:

ip nat inside - on VRF interface
ip nat outside - on WAN interface
ip nat inside source static tcp 192.168.100.10 80 X.X.X.X 4848 vrf Mgmt-Intf extendable - VRF aware NAT rule
ip route vrf Mgmt-Intf 0.0.0.0 0.0.0.0 [WAN Default Route Next Hop IP] global - to add default route to VRF routing table

and then test from external

edit: typo fixed

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

piwale7827 · ‎11-16-2023

You sure this will work? without any VRF Leaking or something?

And regarding the line of the NAT rule, you had a typo right?

it should look like this: "ip nat inside static source tcp 192.168.100.10 80 X.X.X.X 4848 vrf Mgmt-Intf extendable"