Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
2
Replies

NAT inbound Range into VRF

Brad Nightingale
Level 1
Level 1

‎01-28-2014 07:54 PM - edited ‎03-07-2019 05:52 PM

Hi.

We have a 1900 cisco that we have a few VRF running on.  Its doing NAT to the internet as well.

I need to be able to do some inbound NATs to a server for a range of ports - up to three hundred.  I really do not want to have to do one at a time.  I found the following but it doesnt seem to support VRFs:

ip nat pool pool1 10.0.0.99 10.0.0.99 netmask 255.255.255.0 type rotary

ip access-list ext nat_01

permit udp any any range 7000 7331

permit udp any any range 8002 8005

permit udp any any range 9200 9215

ip nat inside destination list nat_01 pool pool1

I have found the following website that says you should be able to do a range on a VRF:

http://books.google.co.nz/books?id=ZkrkiR1_tJEC&pg=PA205&lpg=PA205&dq=%22ip+nat+inside+destination+vrf%22&source=bl&ots=q5uWt_PZvG&sig=BEUrN49fx2rBZzh3Adou8nbxmrQ&hl=en&sa=X&ei=x3LoUpGjA82CkgX_74HACg&ved=0CCcQ6AEwAA#v=onepage&q=%22ip%20nat%20inside%2...

I cant find anything else that says you can!

Can someone give me some help with this?  This is really urgent.

Brad

Labels:
0 Helpful
2 Replies 2

daniel.dib
Level 7
Level 7

‎01-28-2014 09:23 PM

For some reason this seems very tricky to implement on Cisco devices.

Rotary NAT is only used for TCP and usually used to load share in round robin fashion between servers on the inside.

The other option is to use a static translation and route-map but that seems broken as well, at least in older IOS versions.

Your best bet might be to do the manual entries anyway. Are they all in a range? You could use a simple bash script or Perl to generate the configuration for you if that is what's bothering you.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Brad Nightingale
Level 1
Level 1
In response to daniel.dib

‎01-28-2014 10:06 PM

Hi Daniel

Thanks for the idea.  We use this router for a lot of sites, and as there is there is a large number of NATs in it - I really dont want to be maxing the CPU with too many NATs to manage.  I have done the following (just completed) and it appears to be working ok:

ip nat inside source static vrf vrf01 route-map RM01 extendable

ip access-list ext nat_01

permit udp any any range 7000 7331

permit udp any any range 8002 8005

permit udp any any range 9200 9215

route-map RM01 permit 10

match ip address nat_01

It seems to be doing the trick at the moment, but lets see tomorrow when everyone is back in the office!

Brad

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card