04-17-2024 01:28 PM
Good day;
Need help with how I can configure NAT overload with an existing vrf on a CAT9K_IOSXE V16.12. This is what I am struggling with, I currently have a vrf called AWSDX-S3. Now what I am trying to do is I have added a L2 SW and ran trunk ports to the L3 SW. On the L3 SW I have created a new vlan:
VLAN 120
IP address 172.16.120.1 255.255.255.0
I can go on to the L2 switch assign a port to vlan 120 and assign a 172.16.120.XX address to my laptop and I can ping myself, default gateway and the interface to AWS no issues but I cannot go any further. So something is wrong with my NAT that I am not seeing. This is my NAT configuration:
interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside
interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 55.46.160.194 255.255.255.254
ip nat outside
ip nat inside source list AWSINT interface Vlan304 overload
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255
Not sure what I am missing but it doesn't appear there is a translation occurring. How do I see if a NAT translations occurs?
Thank you in advance!!
Solved! Go to Solution.
04-24-2024 09:33 AM
you are in right way
since the SW not support inter-vrf NAT you use VRF-global NAT
and this list in link I share before and as you mention there NAT entry then every thing is OK
MHM
04-17-2024 01:58 PM
Hello,
the access list does not match the VLAN ?
interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside
!
ip nat inside source list AWSINT interface Vlan304 overload
!
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255
04-17-2024 02:02 PM
https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555
You need to correct ACL of NAT and also need match vrf to add to NAT command.
Link above for NAT in ios xe
MHM
04-18-2024 01:00 AM - edited 04-19-2024 08:47 AM
Hello
You dont share the actual nat statement to support your nat cfg however you may need to match that NAT statement to accommodate vrf.
Example:
ip nat inside source list AWSINT interface Vlan304 vrf AWSDX-S3 match-in-vrf overload
ip route vrf AWSDX-S3 0.0.0.0 0.0.0.0 Vlan304 55.46.160.x
or
ip nat pool VRF-NAT 55.46.160.194 55.46.160.194 prefix-length 31
ip nat inside source list AWSINT pool VRF-NAT vrf AWSDX-S3 match-in-vrf
04-18-2024 09:52 AM
Hi Guys
Thank you for your response!!
@Georg Pauwen Thanks for pointing that out I fat finger, I should of cut and paste for some reason I decided to type it in and I was looking at something else when I was typing....thank you sir!!
@paul driver hmm I tried to put in what you suggested but I get the following error
OmedaISP(config)#ip nat inside source list AWSINT inter vlan 304 vrf AWSDX-S3 match-in-vrf overload
^
% Invalid input detected at '^' marker.
so I did a question mark at the point of the error and it doesn't look like it supports it:
OmedaISP(config)#ip nat inside source list AWSINT inter vlan 304 ?
oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from outgoing
Interface. All packets matching translation are forwarded over Interface for duration of
translation.
overload Overload an address translation
<cr> <cr>
But appreciate your suggestion!!
@MHM Cisco World I have to go through the link, will post my findings
But for now thank you guys for your help!!! Anything other suggestion would be great!!!
04-19-2024 12:20 AM
Instead of use interface vlan' use pool nat
Note you need also match in vrf
MHM
04-19-2024 06:38 AM
I am beginning to think my version and hardware doesn't support NAT and VRF. MHM I will try using a pool, for the pool the IP need to be a reachable IP or do the need to be an active IPs on the L3 switch doing the ?
04-19-2024 06:47 AM
The same IP you use for vlan SVI
MHM
04-19-2024 08:49 AM
Hello
@gurowar wrote:I am beginning to think my version and hardware doesn't support NAT and VRF.
The Match-in-VRF Support for NAT feature is not supported on interface overload configuration
Try the following:
ip nat pool VRF-NAT 55.46.160.194 55.46.160.194 prefix-length 31
ip nat inside source list AWSINT pool VRF-NAT vrf AWSDX-S3 match-in-vrf
04-19-2024 09:38 AM
Thank you Pau ok great will try it out and let you know, thank you guys for your help!!!
04-20-2024 12:20 AM - edited 04-20-2024 12:21 AM
Hello
@gurowar wrote:
I am beginning to think my version and hardware doesn't support NAT and VRF. MHM I will try using a pool, for the pool the IP need to be a reachable IP or do the need to be an active IPs on the L3 switch doing the ?
Note:
@MHM Cisco World The Ip used for nat pool ONLY needs to be reachable towards your network it does not need to the wan svi interface
04-22-2024 07:07 AM
I am planning to head to the DC today to implement the pool, will keep you updated!! Thank you all in advance!!!
04-23-2024 01:18 PM
Just an update on this,
@paul thank you for your suggesting but doesn't look like my switch can do what you suggested for the prefix-length can only go up to 30
OmedaISP(config)#ip nat pool S3-NAT 55.46.160.184 55.46.160.184 prefix-length ?
<1-30> Prefix length
and I cannot do the vrf statement:
OmedaISP(config)#ip nat inside source list AWSINT pool S3-NAT ?
oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from outgoing
Interface. All packets matching translation are forwarded over Interface for duration of
translation.
overload Overload an address translation
<cr> <cr>
but I think I need to resolve my routing first I attempted to check routes for the new subnet but it doesn't know how to get it
OmedaISP#sh ip route 172.20.160.0
% Network not in table
I created the VLAN on my edge switch as this is a L3 device and I connected the L2 switch to it. I put my laptop on an interface on the L2 switch on vlan160 and gave it an ip address of 172.20.160.100. I am able to ping the default gateway from my laptop to the SVI interface on the L3 switch which is 172.20.160.1. This L3 device is only running BGP so something in my routing is off, Need to figure that out first is what I am thinking.
04-23-2024 02:04 PM
I had a brain fart routing is good, quick question because I put this into the vrf how do I see if the NAT is working? I tried to do a show ip nat translation but comes up with nothing.
04-24-2024 02:02 AM
You have real device,
Use "?" in ip nat command see of there is match-in-vrf
If not then your SW not supported this feature
Debug ip nat details
This can give us some hint if SW try NAT or not at all
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide