cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
3
Helpful
16
Replies

Configuring NAT overload with vrf lite on a CAT9K

gurowar
Level 1
Level 1

Good day;

Need help with how I can configure NAT overload with an existing vrf on a CAT9K_IOSXE V16.12.  This is what I am struggling with, I currently have a vrf called AWSDX-S3.  Now what I am trying to do is I have added a L2 SW and ran trunk ports to the L3 SW.  On the L3 SW I have created a new vlan:

VLAN 120

IP address 172.16.120.1 255.255.255.0

I can go on to the L2 switch assign a port to vlan 120 and assign a 172.16.120.XX address to my laptop and I can ping myself, default gateway and the interface to AWS no issues but I cannot go any further.  So something is wrong with my NAT that I am not seeing.  This is my NAT configuration:

interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside                                                                                                             

interface Vlan304
description AWSDX-S3
ip vrf forwarding AWSDX-S3
ip address 55.46.160.194 255.255.255.254
ip nat outside

ip nat inside source list AWSINT interface Vlan304 overload

ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255

Not sure what I am missing but it doesn't appear there is a translation occurring. How do I see if a NAT translations occurs?

Thank you in advance!!

1 Accepted Solution

Accepted Solutions

you are in right way 
since the SW not support inter-vrf NAT you use VRF-global NAT 

and this list in link I share before and as you mention there NAT entry then every thing is OK 

MHM

View solution in original post

16 Replies 16

Hello,

the access list does not match the VLAN ?

interface Vlan120
description AWSINT
ip vrf forwarding AWSDX-S3
ip address 172.16.120.1 255.255.255.0
ip nat inside
!
ip nat inside source list AWSINT interface Vlan304 overload
!
ip access-list standard AWSINT
10 permit 172.20.160.0 0.0.0.255

https://community.cisco.com/t5/security-knowledge-base/nat-with-vrf-ios-vs-ios-xe/ta-p/3156555

You need to correct ACL of NAT and also need match vrf to add to NAT command.

Link above for NAT in ios xe

MHM

Hello
You dont share the actual nat statement to support your nat cfg however you may need to match that NAT statement to accommodate vrf.

Example:
ip nat inside source list AWSINT interface Vlan304 vrf AWSDX-S3 match-in-vrf overload
ip route vrf AWSDX-S3  0.0.0.0 0.0.0.0  Vlan304 55.46.160.x

or
ip nat pool VRF-NAT 55.46.160.194 55.46.160.194 prefix-length 31
ip nat inside source list AWSINT pool VRF-NAT vrf  AWSDX-S3 match-in-vrf 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gurowar
Level 1
Level 1

Hi Guys 

Thank you for your response!!

@Georg Pauwen  Thanks for pointing that out I fat finger, I should of cut and paste for some reason I decided to type it in and I was looking at something else when I was typing....thank you sir!!

@paul driver  hmm I tried to put in what you suggested but I get the following error

OmedaISP(config)#ip nat inside source list AWSINT inter vlan 304 vrf AWSDX-S3 match-in-vrf overload
^
% Invalid input detected at '^' marker.

so I did a question mark at the point of the error and it doesn't look like it supports it:

OmedaISP(config)#ip nat inside source list AWSINT inter vlan 304 ?
oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from outgoing
Interface. All packets matching translation are forwarded over Interface for duration of
translation.
overload Overload an address translation
<cr> <cr>

But appreciate your suggestion!!

@MHM Cisco World  I have to go through the link, will post my findings

But for now thank you guys for your help!!!  Anything other suggestion would be great!!!

Instead of use interface vlan' use pool nat 

Note you need also match in vrf 

MHM

gurowar
Level 1
Level 1

I am beginning to think my version and hardware doesn't support NAT and VRF.  MHM I will try using a pool, for the pool the IP need to be a reachable IP or do the need to be an active IPs on the L3 switch doing the ?

The same IP you use for vlan SVI

MHM

Hello


@gurowar wrote:I am beginning to think my version and hardware doesn't support NAT and VRF.

Restrictions for Match-in-VRF Support for NAT

  • The Match-in-VRF Support for NAT feature is not supported on interface overload configuration

Try the following:
ip nat pool VRF-NAT 55.46.160.194 55.46.160.194 prefix-length 31
ip nat inside source list AWSINT pool VRF-NAT vrf AWSDX-S3 match-in-vrf 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gurowar
Level 1
Level 1

Thank you Pau ok great will try it out and let you know, thank you guys for your help!!!

Hello


@gurowar wrote:

I am beginning to think my version and hardware doesn't support NAT and VRF.  MHM I will try using a pool, for the pool the IP need to be a reachable IP or do the need to be an active IPs on the L3 switch doing the ?


Note:
@MHM Cisco World  The Ip used for nat pool ONLY needs to be reachable towards your network it does not need to the wan svi interface


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gurowar
Level 1
Level 1

I am planning to head to the DC today to implement the pool, will keep  you updated!!  Thank you all in advance!!!

gurowar
Level 1
Level 1

Just an update on this,  

@paul thank you for your suggesting but doesn't look like my switch can do what you suggested for the prefix-length can only go up to 30

OmedaISP(config)#ip nat pool S3-NAT 55.46.160.184 55.46.160.184 prefix-length ?
<1-30> Prefix length

and I cannot do the vrf statement:

OmedaISP(config)#ip nat inside source list AWSINT pool S3-NAT ?
oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from outgoing
Interface. All packets matching translation are forwarded over Interface for duration of
translation.
overload Overload an address translation
<cr> <cr>

but I think I need to resolve my routing first I attempted to check routes for the new subnet but it doesn't know how to get it

OmedaISP#sh ip route 172.20.160.0
% Network not in table

I created the VLAN on my edge switch as this is a L3 device and I connected the L2 switch to it.  I put my laptop on an interface on the L2 switch on vlan160 and gave it an ip address of 172.20.160.100.  I am able to ping the default gateway from my laptop to the SVI interface on the L3 switch which is 172.20.160.1.  This L3 device is only running BGP so something in my routing is off, Need to figure that out first is what I am thinking.

 

gurowar
Level 1
Level 1

I had a brain fart routing is good, quick question because I put this into the vrf how do I see if the NAT is working?  I tried to do a show ip nat translation but comes up with nothing.

You have real device,

Use "?" in ip nat command see of there is match-in-vrf

If not then your SW not supported this feature

Debug ip nat details

This can give us some hint if SW try NAT or not at all

MHM

Review Cisco Networking for a $25 gift card