Does not appear to be supported:

Thank you, I did not understand what you were saying.  This is working now.  Thank you very much for the help.

Hello,

As you stated previously: "need to specify a static inside global address instead of the interface".

However, what if the inside global address is obtained through DHCP and may rarely change?

I am facing this exact case. I need to refer to the interface to cope with the IP that might change, but then, I can not use the VRF nor the extendable statement.

Would you be aware of a solution in that case?

Kind regards,
Cedric.

Hello

---

@Cedric T. wrote:

Hello,

 

As you stated previously: "need to specify a static inside global address instead of the interface".

However, what if the inside global address is obtained through DHCP and may rarely change?

 

I am facing this exact case. I need to refer to the interface to cope with the IP that might change, but then, I can not use the VRF nor the extendable statement.

 

Would you be aware of a solution in that case?

---

You could try an access-list with a route-map

Example:
access-list 100 permit tcp host x.x.x.x any eq 443

route-map RM-ACL
match ip address 100
match interface <wan interface>

ip nat inside source route-map RM_ACL interface <wan interface> vrf EXAMPLE

Thanks,

I'm trying your proposition but I don't understand how to specify the ports in your example.

If we take the original post:

10.0.50.230 22 192.168.100.100 9022

10.0.50.230 will be our interface <wan interface>.

How to forward the port 22 of the <wan interface> to the port 9022 of the station 192.168.100.100 with the route map?

Hello
Probably need to lab this one up, Not sure you can do this without specifying the host ip address, Thinking of utilizing a nat statement with a route-map and acl pointing to the vrf wan interface but again not confident it will work.

Hello again,

I have the situation in lab and I can try it directly.

So (I adapted all values to the example given):

ip nat inside source static tcp 10.0.50.230 22 192.168.100.100 9022 vrf EXAMPLE

does work, it forwards port 9022 of 192.168.100.100 (<wan interface>) on machine 10.0.50.230 port 22 which lies in vrf EXAMPLE.

What I does not exactly understand is how to transform that into an access-list with a route-map as you proposed.

I did:

access-list 100 permit tcp host 10.0.50.230 eq 22 any eq 9022

route-map RM-ACL
match ip address 100
match interface <wan interface>

ip nat inside source route-map RM-ACL interface <wan interface> vrf EXAMPLE

Which does not work. What do you think of it?

Best regards,
Cedric.

Hello again,

I have another question.

When 10.0.50.0/24 is moved into VRF example, we have to transform:

ip nat inside source static tcp 10.0.50.230 22 interface GigabitEthernet1/1 9022

to:

ip nat inside source static tcp 10.0.50.230 22 192.168.100.100 9022 vrf EXAMPLE

With 192.168.100.100 being the address of the interface GigabitEthernet1/1.

Moving from the interface to the IP allows to use the vrf statement.

However, if the ip address of GigabitEthernet1/1 is dynamic and may change (obtained through DHCP for example), we cannot use the IP. 

Therefore, would it not be possible to use the first command:

ip nat inside source static tcp 10.0.50.230 22 interface GigabitEthernet1/1 9022

And set up a leaking between the VRF where lies the interface GigabitEthernet1/1 and the VRF EXAMPLE?

If I understand well, from outside to inside, translation of address is performed before routing, then, the packet arriving with destination 192.168.100.100 port 9022 would first be converted to have a destination 10.0.50.230 with port 22. Then, inside the VRF of GigabitEthernet1/1, the route leak shall permit to transfer it to VRF EXAMPLE.

Is such a construction possible?

Best regards,

Cedric T.