12-22-2014 10:28 AM - edited 03-07-2019 09:58 PM
hi Friends,
I need to configure NAT and static mapping so i can reach (SSH) internal devices (Servers) inside the Network (Private IP Addresses) from the Internet.
So i have problem combination VRF with NAT, The Interface Connecting to the Internet is in VRF and the Interface connecting to Internal Network is NOT on VRF, here is my Output..
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.69.2.30 YES NVRAM up up
GigabitEthernet0/1 A.A.A.9 YES NVRAM up up
Serial0/0/0 10.10.10.1 YES NVRAM up up
Serial0/1/0 10.10.12.1 YES NVRAM up up
Serial0/2/0 10.10.13.1 YES NVRAM up up
Async1 10.10.11.1 YES NVRAM up up
Tunnel0 10.5.5.1 YES NVRAM up up
henrt1#show run | section nat
interface gi0/0
ip nat inside
interface gi0/1
ip nat outside
!
ip nat inside source static tcp 10.69.2.30 23 A.A.A.9 30003 vrf cisco extendable
ip nat inside source static tcp 10.69.2.10 23 A.A.A.9 30010 vrf cisco extendable
any suggestion ? thoughts ?
Thanks for taking the time to read and replay to my post.
12-22-2014 11:04 AM
Hi,
So, the question is why are you putting gi0/1 in a VRF?
When you put gi0/1 in a VRF and other interfaces are not, now you have configure route leaking to get interface gi0/1 to talk to other interfaces in the global routing table. If gi0/1 is an isolated interface and does not need to talk to other interface than putting it in a VRF maybe a good idea.
HTH
12-22-2014 11:13 AM
hi Reza Sharifi,
i am not the one who configure the Routers and i agree with you that VRF here is not necessary for this design.
but i am not allowed (at this point) to remove the VRF especially that this network is in a live system. and the second end of the tunnel (tunnel0) is in unmanned sites and as you know when you add or remove the interface from the VRF you will lose the IP Address and have to configure it again, so i will lose connection to the remote site and have to send engineer to fix it!
so i am trying to found a way to configure a NAT between the VRF and Global Routing or upgrade the interface gi0/0 to the same VRF and configure it correctly.
Thanks
12-22-2014 11:49 AM
Hi,
Ok, I understand the situation now. I thought this was a new implementation.
So, can you clarity
1-Is connectivity to all remote sites with private IPs and the tunnel working?
2-Is connectivity to Internet working?
3-if the answer to number 2 is no, does this router have connectivity to Internet?
HTH
12-22-2014 01:25 PM
hi Reza Sharifi,
okay the purpose of NAT here is to provide direct connection to the internal devices through the internet once i complete it .. we will add maps in the company server so we can Telnet/SSH to them by name without having to telnet or SSH to R1 first.
1. everything is working correctly without NAT, and by connecting to the R1 i can telnet to any other device.
2. yes the connection to the internet is working perfectly, and i am using it to connect to the router.
12-22-2014 01:46 PM
Hi,
Take a look at this link. This config is maybe close to what you need except there is no NAT. So, maybe you can use the export/import config example for VRF leaking with BGP and than use the NAT statement you have in your configs.
http://rekrowten.wordpress.com/2014/02/21/route-leak-between-global-ipv4-table-and-vrf/
HTH
12-22-2014 02:50 PM
hi Reza,
I read the post and try to implement it but it didn't work ! also i am not sure that will fix the NAT problem.
R1#show run | section route-map
route-map IMPORT_GLOBAL permit 10
match ip address 50
route-map EXPORT_GLOBAL permit 10
match ip address prefix-list PL_GLOBAL_EXPORT
R1#show access-list 50
Standard IP access list 50
10 permit 10.69.0.0, wildcard bits 0.0.255.255
R1#show ip prefix-list PL_GLOBAL_EXPORT
ip prefix-list PL_GLOBAL_EXPORT: 1 entries
seq 10 permit A.A.A.8/30
R1#show run | section vrf INET
ip vrf cisco
rd 1:1
import map IMPORT_GLOBAL
export map EXPORT_GLOBAL
route-target export 1:1
route-target import 1:1
Thanks
12-22-2014 05:01 PM
Hi,
I think, instead of doing all the workaround to get this working, the fastest way to resolve this is to have a short maintenance window and remove the vrf statement from fa0/1.
Usually when you remove vrf statement from an interface the IP address gets deleted. So, all you have to do is to apply the IP address to the interface again
Just my opinion
12-22-2014 01:48 PM
according to this link: Click Me
{
Q. Should NAT NVI be used when NATting between an interface in global and an interface in a VRF?
A. Cisco recommends that you use legacy NAT for VRF to global NAT (ip nat inside/out) and between interfaces in the same VRF. NVI is used for NAT between different VRFs.
}
so i can keep the interface gi0/0 outside the VRF and still NAT with the interface gi0/1 in VRF cisco !
but he didn't mention how ?!
01-19-2015 03:40 PM
any more help regarding this configuration ?
02-19-2018 09:11 AM
I have the same problem, can you solve it?
05-22-2018 12:03 PM
Did you get this to work? I have a very similar situation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: