VRF Nat issue

Ramana1984 · ‎07-26-2018

I have 3 routers.

R1 (Loop back 206.87.176.20)

R2 (Source NAT : 206.87.176.20 ---> 10.14.1.1)

R3(loop back 172.28.20.20).

Between R1, R2 -we are running vrf.

I am able to ping from R1 to R3 loopback , which is Natted on R2.(Source NAT).

From R3 , not able to reach R1.

Working:

R1:

ping vrf NSCU 172.28.20.20 source Loopback20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.20.20, timeout is 2 seconds:
Packet sent with a source address of 206.87.176.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/44 ms

Config on R2:

ip nat outside source static 206.87.176.20 10.14.1.1 vrf NSCU extendable

Debug on R3:

ICMP: echo reply sent, src 172.28.20.20, dst 10.14.1.1, topology BASE, dscp 0 topoid 0

Not working:

R3:

ping 10.14.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.14.1.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Debug on R2:

NAT*: Can't create new inside entry - forced_punt_flags: 0

R1 : Debug

ICMP: dst (10.14.1.1) host unreachable sent to 192.168.200.14

Please suggest

paul driver · ‎07-26-2018

Hello

Can you post a simple topology diagram for this and if applicable the configuration on all three rtrs

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

amikat · ‎07-26-2018

Hi,

Can you please try to add the parameter "add-route" to your R2 ip nat command, ie:

"ip nat outside source static 206.87.176.20 10.14.1.1 vrf NSCU add-route extendable"

and see if there is any improvement.

Best regards,

Antonin