04-01-2013 03:42 PM - edited 03-07-2019 12:34 PM
I have two routers that are connected to each other via a DMVPN. The topology looks like this: R1---->R2----(DMVPN CLOUD)---R3----->R4.
The link between R1 and R2 uses OSPF and then networks are advertised from R1 to R2 via BGP. The same happens between R3 and R4. Within the DMVPN cloud I am running EIGRP, I have mutual redistribution between BGP and EIGRP on R2 and R3. R1 and R4 can see all the relavant networks so no big deal there.
The problem is, I am trying to enable NAT on R1 and R4, I want private subnets (subnets created using Loopbacks) to be translated to the interface IP on R1 as they go outbound towards R4's public IP (IP used to connect R4 to R3). I am using NVI to do this and it should be a fairly straight forward setup but I guess I'm missing something.
The on cavat here is on R1 and R4 I have a VRF. I'm not trying to nat between VRFs, I am only using the VRF to separate this Network design and its routes from other routes I have in the global table, no big deal there. So, what am I missing here?
Here is my relavant configuration:
R4:
ip vrf SITEC
!
interface Loopback170
description PRIVATE SUBNET
ip vrf forwarding SITEC
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
int f0/0.502
description CONNECTION TO R2
encapsulation dot1Q 502
ip vrf forwarding SITEC
ip address 100.1.1.1 255.255.255.0
ip nat enable
ip ospf 100 area 0
!
router ospf 100 vrf SITEA
router-id 150.4.4.4
!
router bgp 100
address-family ipv4 unicast vrf SITEC
neighbor 100.1.1.10 remote-as 65000
network 222.1.1.0 mask 255.255.255.0 (NOT MY REAL PUBLIC IP, THIS IS JUST IN A LAB)
!
ip access-list standard 50
10 permit 10.1.1.0 0.0.0.255
!
ip nat source list 50 interface f0/0.502 vrf SITEC overload
-------------------------------------------------------------------------------------------------------------------------------------------------
R1:
ip vrf SITEA
!
interface Loopback170
description PRIVATE SUBNET
ip vrf forwarding SITEA
ip address 10.1.1.1 255.255.255.0
ip nat enable
!
int f0/0.500
description CONNECTION TO R2
encapsulation dot1Q 500
ip vrf forwarding SITEA
ip address 170.1.1.100 255.255.255.0
ip nat enable
ip ospf 100 area 0
!
router ospf 100 vrf SITEA
router-id 150.1.1.1
!
router bgp 100
address-family ipv4 unicast vrf SITEA
neighbor 170.1.1.10 remote-as 65000
network 220.1.1.0 mask 255.255.255.0 (NOT MY REAL PUBLIC IP, THIS IS JUST IN A LAB)
!
ip access-list standard 50
10 permit 10.1.1.0 0.0.0.255
!
ip nat source list 50 interface f0/0.500 vrf SITEA overload
-------------------------------------------------------------------------------------------------------------------------
My Tests ON R1:
R1#ping vrf SITEA 100.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
----------------------------------------------------------------------------------------------------------------------------
My Tests ON R4:
R4#PING VRF SITEC 170.1.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 170.1.1.100, timeout is 2 seconds:
!!!!!
R4#PING VRF SITEC 170.1.1.100 source lo170
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 170.1.1.100, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
R4#sh ip nat nvi tran
R4#sh ip nat nvi translations
R4#
04-02-2013 05:36 AM
Hi Justin,
try the following command "ip nat source list 50 interface f0/0.502 vrf SITEC match-in-vrf overload"
See if this makes a difference
Hope it helps
Neeraj
04-02-2013 08:27 AM
I don't have that syntex as an option, I did try. So otherwise does the configuration look correct?
04-02-2013 09:23 AM
my bad, see if this works:
interface Loopback170
no ip nat enable
ip nat inside
!
int f0/0.500
no ip nat enable
ip nat outside
ip nat inside source list 50 interface f0/0.502 vrf SITEC match-in-vrf overload
04-02-2013 11:27 AM
Ok, so I changed my configuration some. Now the topology is like this:
Sw1----->R1----->R2--(DMVPN)--R3---->R4----->Sw2
The two switches are multilayer.
So I'm Natting on R1 and R4 and i'm sourcing the traffic from Sw1 or Sw2.
I am natting the network from Sw1 to the interface on R1 that connects to R2. I am also natting the network from Sw2 to the interface IP on R4 that is connected to R3.
My problem now is that I can ping on Sw2 to the public IP on R1 no problem. But I can't ping from Sw1 to the public IP of R4.
R1 Config:
interface FastEthernet0/0
no ip address
duplex auto
speed auto
service-policy output WFQ
hold-queue 1000 out
!
interface FastEthernet0/0.130
description CONNECTION TO SW1
encapsulation dot1Q 130
ip vrf forwarding SITEA
ip address 130.1.1.1 255.255.255.0
ip nat enable
!
interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.1.146.1 255.255.255.0
!
interface FastEthernet0/0.500
Description CONNECTION TO R2
encapsulation dot1Q 500
ip vrf forwarding SITEA
ip address 170.1.1.100 255.255.255.0
ip nat enable
ip ospf 100 area 0
!
interface Serial0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.1 255.255.255.0
frame-relay interface-dlci 105
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
ip address 155.1.13.1 255.255.255.0
!
router eigrp 100
network 150.1.1.0 0.0.0.255
network 155.1.0.0
distance eigrp 90 201
no auto-summary
!
address-family ipv4 vrf SITEA
redistribute bgp 100 metric 1000000 1 1 255 1500
network 130.1.1.0 0.0.0.255
no auto-summary
autonomous-system 1000
exit-address-family
!
router ospf 100 vrf SITEA
router-id 150.1.1.1
log-adjacency-changes
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 150.1.1.0 mask 255.255.255.0
neighbor PG peer-group
neighbor PG remote-as 100
neighbor PG ebgp-multihop 10
neighbor PG update-source Loopback0
neighbor 150.1.3.3 peer-group PG
neighbor 150.1.4.4 peer-group PG
neighbor 150.1.5.5 peer-group PG
neighbor 150.1.6.6 peer-group PG
neighbor 170.1.1.10 remote-as 65000
no auto-summary
!
address-family ipv4 vrf SITEA
neighbor 170.1.1.10 remote-as 65000
neighbor 170.1.1.10 activate
no synchronization
network 220.1.1.0
exit-address-family
!
!
!
ip http server
no ip http secure-server
ip nat log translations syslog
ip nat translation icmp-timeout 5
ip nat source list 50 interface FastEthernet0/0.500 vrf SITEA overload
!
access-list 50 permit any
----------------------------------------------------------------------------------------------------------
R4 Config:
interface FastEthernet0/0.67
encapsulation dot1Q 67
ip address 155.1.67.6 255.255.255.0
!
interface FastEthernet0/0.140
description CONNECTION TO SW2
encapsulation dot1Q 140
ip vrf forwarding SITEC
ip address 140.1.1.6 255.255.255.0
ip nat enable
!
interface FastEthernet0/0.146
encapsulation dot1Q 146
ip address 155.1.146.6 255.255.255.0
!
interface FastEthernet0/0.502
description CONNECTION TO R3
encapsulation dot1Q 502
ip vrf forwarding SITEC
ip address 100.1.1.1 255.255.255.0
ip nat enable
ip ospf 100 area 0
service-policy input police
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 54.1.1.6 255.255.255.0
encapsulation frame-relay
frame-relay map ip 54.1.1.254 101 broadcast
!
router eigrp 100
network 150.1.6.0 0.0.0.255
network 155.1.0.0
distance eigrp 90 201
no auto-summary
!
router eigrp 1000
auto-summary
!
address-family ipv4 vrf SITEC
redistribute bgp 100 metric 1000000 1 1 255 1500
network 140.1.1.0 0.0.0.255
no auto-summary
autonomous-system 1000
exit-address-family
!
router ospf 100 vrf SITEC
router-id 150.6.6.6
log-adjacency-changes
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 54.1.1.0 mask 255.255.255.0
network 150.1.4.0 mask 255.255.255.0
neighbor PG peer-group
neighbor PG remote-as 100
neighbor PG ebgp-multihop 10
neighbor PG update-source Loopback0
neighbor 54.1.1.254 remote-as 54
neighbor 150.1.1.1 peer-group PG
neighbor 150.1.3.3 peer-group PG
neighbor 150.1.4.4 peer-group PG
neighbor 150.1.5.5 peer-group PG
auto-summary
!
address-family ipv4 vrf SITEC
neighbor 100.1.1.10 remote-as 65000
neighbor 100.1.1.10 activate
no synchronization
network 222.1.1.0
exit-address-family
!
ip forward-protocol nd
ip route 155.1.0.0 255.255.0.0 Null0
no ip http server
no ip http secure-server
!
!
ip nat log translations syslog
ip nat translation timeout 60
ip nat translation icmp-timeout 5
ip nat source list 50 interface FastEthernet0/0.502 vrf SITEC overload
!
access-list 50 permit any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide