cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10337
Views
0
Helpful
11
Replies
TheDukeofBaghdad
Beginner

NAT with VRF !!!

hi Friends,

 

I need to configure NAT and static mapping so i can reach (SSH) internal devices (Servers) inside the Network (Private IP Addresses) from the Internet.

So i have problem combination VRF with NAT, The Interface Connecting to the Internet is in VRF and the Interface connecting to Internal Network is NOT on VRF, here is my Output..

 

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.69.2.30      YES NVRAM  up                    up
GigabitEthernet0/1         A.A.A.9         YES NVRAM  up                    up
Serial0/0/0                10.10.10.1      YES NVRAM  up                    up
Serial0/1/0                10.10.12.1      YES NVRAM  up                    up
Serial0/2/0                10.10.13.1      YES NVRAM  up                    up
Async1                     10.10.11.1      YES NVRAM  up                    up
Tunnel0                    10.5.5.1        YES NVRAM  up                    up

 

 

Note: Interface Gigabit0/1 have Public IP Address and connect to ISP through VRF cisco.
 
R1#show run interface gigabitEthernet 0/1
Building configuration...
 
Current configuration : 281 bytes
!
interface GigabitEthernet0/1
ip vrf forwarding cisco
ip address A.A.A.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
 
R1#show run interface gigabitEthernet 0/0
Building configuration...
 
Current configuration : 258 bytes
!
interface GigabitEthernet0/0
ip address 10.69.2.30 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
decnet cost 4
end
 
Notice that interface gi0/0 is NOT part of the VRF.
 
R1#show run | include ip route
ip route 10.41.2.0 255.255.255.0 Serial0/2/0
ip route 192.0.69.0 255.255.255.0 Serial0/0/0
ip route 192.168.0.0 255.255.255.0 10.69.2.254
ip route 192.168.21.0 255.255.255.0 Async1
ip route vrf cisco 0.0.0.0 0.0.0.0 A.A.A.10
 
i am not even sure it's a valid design, because IP NAT OUTSIDE interface is in VRF cisco and IP NAT INSIDE interface is not on any VRF.
 
any advice will be much appreciated
 
Update 1:
  • i already configure NAT at home LAB and it's working correctly without the VRF.
Update 2: 
  • i copy the configuration from R1 to the R1 on LAB and configure the Interface gi0/0 to the Same VRF and i was able to connect to the Internal Devices through the NAT but when i configure the Live Device on the Field it didn't work!!!  ..   here is the Configuration:

henrt1#show run | section nat

interface gi0/0
 ip nat inside

interface gi0/1
 ip nat outside

!
ip nat inside source static tcp 10.69.2.30 23 A.A.A.9 30003 vrf cisco extendable
ip nat inside source static tcp 10.69.2.10 23 A.A.A.9 30010 vrf cisco extendable

 

any suggestion ? thoughts ?

Thanks for taking the time to read and replay to my post.

 

11 REPLIES 11
Reza Sharifi
Hall of Fame Expert

Hi,

So, the question is why are you putting gi0/1 in a VRF?

When you put gi0/1 in a VRF and other interfaces are not, now you have configure route leaking to get interface gi0/1 to talk to other interfaces in the global routing table. If gi0/1 is an isolated interface and does not need to talk to other interface than putting it in a VRF maybe  a good idea.

HTH

hi Reza Sharifi,

i am not the one who configure the Routers and i agree with you that VRF here is not necessary for this design.

but i am not allowed (at this point) to remove the VRF especially that this network is in a live system. and the second end of the tunnel (tunnel0) is in unmanned sites and as you know when you add or remove the interface from the VRF you will lose the IP Address and have to configure it again, so i will lose connection to the remote site and have to send engineer to fix it!

so i am trying to found a way to configure a NAT between the VRF and Global Routing or upgrade the interface gi0/0 to the same VRF and configure it correctly.

 

Thanks

Hi,

Ok, I understand the situation now.  I thought this was a new implementation.

So, can you clarity

1-Is connectivity to all remote sites with private IPs and the tunnel working?

2-Is connectivity to Internet working?

3-if the answer to number 2 is no, does this router have connectivity to Internet?

HTH

 

hi Reza Sharifi,

okay the purpose of NAT here is to provide direct connection to the internal devices through the internet once i complete it .. we will add maps in the company server so we can Telnet/SSH to them by name without having to telnet or SSH to R1 first.

 

1. everything is working correctly without NAT, and by connecting to the R1 i can telnet to any other device.

2. yes the connection to the internet is working perfectly, and i am using it to connect to the router.

 

 

 

Hi,

Take a look at this link.  This config is maybe close to what you need except there is no NAT.  So, maybe you can use the export/import config example for VRF leaking with BGP and than use the NAT statement you have in your configs.

http://rekrowten.wordpress.com/2014/02/21/route-leak-between-global-ipv4-table-and-vrf/

HTH

 

hi Reza,

 

I read the post and try to implement it but it didn't work ! also i am not sure that will fix the NAT problem.

 

R1#show run | section route-map
route-map IMPORT_GLOBAL permit 10
 match ip address 50
route-map EXPORT_GLOBAL permit 10
 match ip address prefix-list PL_GLOBAL_EXPORT

 

R1#show access-list 50
Standard IP access list 50
    10 permit 10.69.0.0, wildcard bits 0.0.255.255
R1#show ip prefix-list PL_GLOBAL_EXPORT
ip prefix-list PL_GLOBAL_EXPORT: 1 entries
   seq 10 permit A.A.A.8/30
R1#show run | section vrf INET
ip vrf cisco
 rd 1:1
 import map IMPORT_GLOBAL
 export map EXPORT_GLOBAL
 route-target export 1:1
 route-target import 1:1

 

Thanks

 

Hi,

I think, instead of doing all the workaround to get this working, the fastest way to resolve this is to have a short maintenance window and remove the vrf statement from fa0/1.

Usually when you remove vrf statement from an interface the IP address gets deleted.  So, all you have to do is to apply the IP address to the interface again

Just my opinion


 

TheDukeofBaghdad
Beginner

according to this link: Click Me

{

Q. Should NAT NVI be used when NATting between an interface in global and an interface in a VRF?

A. Cisco recommends that you use legacy NAT for VRF to global NAT (ip nat inside/out) and between interfaces in the same VRF. NVI is used for NAT between different VRFs.

}

so i can keep the interface gi0/0 outside the VRF and still NAT with the interface gi0/1 in VRF cisco !

but he didn't mention how ?!

 

any more help regarding this configuration ? 

I have the same problem, can you solve it?

Did you get this to work?  I have a very similar situation.