02-20-2009 05:11 AM - edited 03-06-2019 04:08 AM
Hi,
I'm trying to setup a test network with the topologie like in the attached picture.
Hosts H1 to H6 have the same ip address (192.168.1.1/24) and no other routes (are able to see only hosts in the same subnet). Those hosts are connected via a 1811 router to a PC. The PC should be able to telnet to each host, also each host should be able to ftp to PC. I tried to put them in separate VRF's and to do NAT, but it didn't work. Ip addressing on the router or on the PC doesn't matter.
Any idea how can be done that?
Thanks,
Yuti
NAT VRF
02-20-2009 05:55 AM
Hello Yuti,
you should post your configurations.
have you checked
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_fwall.html#wp1049170
is the pc on the right in global routing table or in a VRF ?
It makes difference
Hope to help
Giuseppe
02-20-2009 06:17 AM
Hi Giuseppe,
Thanks for you reply. I didn't post any config and I don't have any requirement regarding in which routing table the PC is -- to not confuse people, it really doesn't matter the configuration of the router and the PC as far the requirements are meet (PC is able to telnet to hosts, and hosts to ftp to PC).
Thanks again,
Yuti
02-20-2009 06:27 AM
Hello Yuti,
my understanding is that VRF aware NAT has some limitations and is thought to perform NAT between a VRF and an interface in global routing table
if it is so where the PC on the right is connected makes the difference
see the link in my first post should contain notes about limitations of VRF aware NAT.
Hope to help
Giuseppe
02-20-2009 06:04 AM
"Ip addressing on the router or on the PC doesn't matter."
Change the IP addresses on the router and the hosts.
router = 192.168.1.1/24
h1 = 192.168.1.5 /24
h2 = 192.168.1.6 /24
h3 = 192.168.1.7 /24
h4 = 192.168.1.8 /24
h5 = 192.168.1.9 /24
h6 = 192.168.1.10 /24
02-20-2009 06:37 AM
Maybe i didn't was clear enough: any ip address and any technology (NAT, route-maps, etc) can be used on the router, but not on H1...H6. H1,H2, ..H6 should have the same ip address (192.168.1.1/24) and don't have any route. I placed them by example in separate VRF's and i tried to NAT them in each VRF, but i can't accomplish the requirement. By example, if i place them in the inside - then replies of H1...H6 don't have a route to the initiator of connection.
Thanks,
02-25-2009 03:08 AM
OK, finally i found a solution and i post it, maybe someone will need this unusual configuration. I put H1...H6 in different VRF's, i NAT them inside and i redistribute routes between VRF's (config attached).
What is strange (for me :)) is that i used cisco routers to simulate H1 to H6 with ip routing disabled and without default-gateway set. Unexpected for me is that even H1...H6 doesn't have default gateway set -- are still able to reply to the hosts in a different subnet. With the ip routing enabled, is doing my expected behavior, is able to reply only to hosts in the same subnet...Thanks again to people who tried to help me!
NAT VRF Route-leaking
02-25-2009 03:48 AM
Thanks for the post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide