cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1548
Views
0
Helpful
3
Replies

NAt overload does not work simultaneously on two VRF subinterfaces

Problem description:

We are running NAT overload over two Sub interfaces, each with another VRF.

When the customer wants to start an ftp or another TCP session, the NAT translation doesn't run on both interfaces simultaneous.

When the first ftp transmission is finished the second starts transmitting when the first connection is lost.

NAT works allright independent of the IOS that is inatalled but not through two Virtual interfaces at the same time.

Yesterday I tried to start a simultanious ping over the two interfaces, this also didn't work.

It looks like there is only one NAT process accepted.

Server Side

!

interface GigabitEthernet0/0.103

description GigabitEthernet0/0.103 dot1q vlan id=103 (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.190.236.253 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.104

description GigabitEthernet0/0.104 dot1q vlan id=104. (C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 13.17.12.253 255.255.255.0

ip nat outside

ip virtual-reassembly

-----------------------------------------------------------------------------------------------

!

interface GigabitEthernet0/1.103

description GigabitEthernet0/1.103 dot1q vlan id=103. (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.137.195.42 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.104

description GigabitEthernet0/1.104 dot1q vlan id=104. (C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 10.137.197.42 255.255.255.252

ip nat inside

ip virtual-reassembly

!

ip nat inside source list 1 interface GigabitEthernet0/0.103 vrf V596:VRF-c2000-core overload

ip nat inside source list 2 interface GigabitEthernet0/0.104 vrf V597 :VRF-c2000-specials overload

access-list 1 remark DRIE VRF-CORE

access-list 1 permit 192.168.201.0 0.0.0.255

access-list 1 remark HILVRF-CORE

access-list 1 permit 192.168.211.0 0.0.0.255

access-list 2 remark DRIE VRF-SPECIALS

access-list 2 permit 192.168.202.0 0.0.0.255

access-list 2 remark HIL VRF-SPECIALS

access-list 2 permit 192.168.212.0 0.0.0.255

Customer side

IOS: "flash:c2800nm-spservicesk9-mz.124-12.bin"

interface GigabitEthernet0/0.103

description Gigabitethernet0/1.103 dot1q vlan id=103. (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 192.168.212.254 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/0.104

description Gigabitethernet0/1.104 dot1q vlan id=104. (C2000/SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 192.168.202.254 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/1.103

description Gigabitethernet0/1.103 dot1q vlan id=103.(C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.137.195.18 255.255.255.252

no cdp enable

!

interface GigabitEthernet0/1.104

description Gigabitethernet0/1.104 dot1q vlan id=104.(C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 10.137.195.18 255.255.255.252

no cdp enable

3 Replies 3

desensitized
Level 1
Level 1

The IP address you set to the subinterfaces 1.103 and 1.104 for the customer side are the exact same. Both are 10.137.195.18 which is unacceptable in a network.

Hi,

None of the internet Ip addresses assigned to the interfaces are correct. I have just given fake ip adresses as this is a public forum. I have seen to it that there is not ip address conflict or any other issue with the IP addresses.

the NAT works fine as I have mentioned earlier. But only issue is not on both the VRF interfaces simultaneously.

So just want to know if there is any limitation on the NAT processes.

Hello Usman,

give a look at the following document

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_mpls_vpns_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1046889

I see in the steps the configuration of static routes in VRF. These can play a role for the feature.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card