cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1155
Views
3
Helpful
16
Replies

Configuring NAT overload with vrf lite on a CAT9K

gurowar
Level 1
Level 1

Good day;

Need help with how I can configure NAT overload with an existing vrf on a CAT9K_IOSXE V16.12.  This is what I am struggling with, I currently have a vrf called AWSDX-S3.  Now what I am trying to do is I have added a L2 SW and ran trunk ports to the L3 SW.  On the L3 SW I have created a new vlan:

VLAN 120

IP address 172.16.120.1 255.255.255.0

I can go on to the L2 switch assign a port to vlan 120 and assign a 172.16.120.XX address to my laptop and I can ping myself, default gateway and the interface to AWS no issues but I cannot go any further.  So something is wrong with my NAT that I am not seeing.  This is my NAT configuration:

interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside                                                                                                             

interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 55.46.160.194 255.255.255.254
ip nat outside

ip nat inside source list AWSINT interface Vlan304 overload

ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255

Not sure what I am missing but it doesn't appear there is a translation occurring. How do I see if a NAT translations occurs?

Thank you in advance!!

16 Replies 16

gurowar
Level 1
Level 1

First of all want to say thank you for all your help!! I always can depend on you all for help so wanted to make sure you all know I appreciate everyone's advice!!  With that said I believe the issue is resolved and if I am wrong please correct me.  So here we go, for anyone that is trying to NAT and running VRF on this particular set up:

Catalyst L3 Switch Software (CAT9K_IOSXE)

my config looked like this:

interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside  

interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 52.46.160.184 255.255.255.254
ip nat outside

ip nat inside source list AWSINT interface Vlan304 overload

ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255

but this didn't work and so tried using a pool using the IP of the out going interface, but that to didn't work as well.  So with everyone's help and the note from Paul Driver(thank you sir!!)  I came to the conclusion that my particular hardware and version doesn't support NAT with VRF.  So what I ended up doing was look for another public IP that I was advertising into AWS and used that as the Overload.  This is what seemed to work:

From my new vlan I removed the "ip vrf forwarding AWSDX-S3" statement, everything minus the public IP and pool is the same:

interface Vlan160
description AWSINT-S3
ip address 172.20.160.1 255.255.255.0
ip nat inside

interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 52.46.160.184 255.255.255.254
ip nat outside

ip nat pool S3-NAT 209.10.197.4 209.10.197.4 netmask 255.255.255.0
ip nat inside source list AWSINT pool S3-NAT overload

ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255

so now when I tested I can see the hits on my ACL and see the NAT:

L3-SW#sh ip access-list AWSINT
Standard IP access list AWSINT
10 permit 172.20.160.0, wildcard bits 0.0.0.255 (13 matches)

L3-SW#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 209.10.197.4:1024 172.20.160.100:1 35.173.172.210:1 35.173.172.210:1024

Again if I am wrong please go ahead and correct me but this seems to have worked but I am still doing more testing

Thank you again for all your help!!!