04-17-2024 01:28 PM
Good day;
Need help with how I can configure NAT overload with an existing vrf on a CAT9K_IOSXE V16.12. This is what I am struggling with, I currently have a vrf called AWSDX-S3. Now what I am trying to do is I have added a L2 SW and ran trunk ports to the L3 SW. On the L3 SW I have created a new vlan:
VLAN 120
IP address 172.16.120.1 255.255.255.0
I can go on to the L2 switch assign a port to vlan 120 and assign a 172.16.120.XX address to my laptop and I can ping myself, default gateway and the interface to AWS no issues but I cannot go any further. So something is wrong with my NAT that I am not seeing. This is my NAT configuration:
interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside
interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 55.46.160.194 255.255.255.254
ip nat outside
ip nat inside source list AWSINT interface Vlan304 overload
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255
Not sure what I am missing but it doesn't appear there is a translation occurring. How do I see if a NAT translations occurs?
Thank you in advance!!
Solved! Go to Solution.
04-24-2024 09:29 AM - edited 04-24-2024 09:32 AM
First of all want to say thank you for all your help!! I always can depend on you all for help so wanted to make sure you all know I appreciate everyone's advice!! With that said I believe the issue is resolved and if I am wrong please correct me. So here we go, for anyone that is trying to NAT and running VRF on this particular set up:
Catalyst L3 Switch Software (CAT9K_IOSXE)
my config looked like this:
interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside
interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 52.46.160.184 255.255.255.254
ip nat outside
ip nat inside source list AWSINT interface Vlan304 overload
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255
but this didn't work and so tried using a pool using the IP of the out going interface, but that to didn't work as well. So with everyone's help and the note from Paul Driver(thank you sir!!) I came to the conclusion that my particular hardware and version doesn't support NAT with VRF. So what I ended up doing was look for another public IP that I was advertising into AWS and used that as the Overload. This is what seemed to work:
From my new vlan I removed the "ip vrf forwarding AWSDX-S3" statement, everything minus the public IP and pool is the same:
interface Vlan160
description AWSINT-S3
ip address 172.20.160.1 255.255.255.0
ip nat inside
interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 52.46.160.184 255.255.255.254
ip nat outside
ip nat pool S3-NAT 209.10.197.4 209.10.197.4 netmask 255.255.255.0
ip nat inside source list AWSINT pool S3-NAT overload
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255
so now when I tested I can see the hits on my ACL and see the NAT:
L3-SW#sh ip access-list AWSINT
Standard IP access list AWSINT
10 permit 172.20.160.0, wildcard bits 0.0.0.255 (13 matches)
L3-SW#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 209.10.197.4:1024 172.20.160.100:1 35.173.172.210:1 35.173.172.210:1024
Again if I am wrong please go ahead and correct me but this seems to have worked but I am still doing more testing
Thank you again for all your help!!!