NAT with a VRF does not work

Unanswered Question
Oct 8th, 2008

Hi,

I have a problem with NAT configured on a VRF on a Catalyst 6500, IOS version 12.2(33)SXH2a. I don't have IOS firewall on the switch, just IOS.

I configured a VRF to NAT (actually PAT)the source IP address of any packet arriving on the on inside interface. ith ethe command "show ip nat translations", I observe that the translations are correctly dynamically created. But when the target station (on the outside interface) sends its ARP request to resolve the NAT address, the VRF dos not respond and the communication does not work.

Here is my configuration :

!

ip nat pool N_090_M 10.56.0.4 10.56.0.4 prefix-length 23

ip nat inside source list SOURCE_NAT pool N_090_M vrf CH01RT03 overload

!

ip access-list extended SOURCE_NAT

remark *** Used to NAT Source IP on VLAN 90 ***

permit ip any any

!

interface Vlan310

ip vrf forwarding CH01RT03

ip address 10.56.3.66 255.255.255.224

ip nat inside

!

interface Vlan90

ip vrf forwarding CH01RT03

ip address 10.56.0.2 255.255.254.0

ip nat outside

!

Do anyone see what the problem could be ? I know that there is a known bug (BugID: CSCdu28706) with ARP in a VRF, but the bug description does not reflect our problem.

Thank you for any help

Yves Haemmerli

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 10/08/2008 - 03:33

hi YVES

try to do it as follow i know its a bit complex :)

first thing is to Create a new VRF named CS1 for common services on theNAT router. Use any RD and RT

Associate the new VRF with an interface connecting the router with ISP/internet

As the NAT is performed on a single router, all VRFs participating in NAT have to be present on that PE-router

ip vrf CS

rd 3:3

route-target export 3:3

route-target import 3:3

ip vrf CH01RT03

rd 1:1

route-target export 1:1

route-target import 1:1

interface fa/0/0

description *** Link to ISP***

ip vrf forwarding CS

ip adress 10.56.0.4 255.255.254.0

The connectivity between VRFs is provided solely through the use of inter-VRF static routes and NAT

Announce into the CH01RT03 VRFs that common services are reachable through the router PE-NAT by configuring a VRF static route,

The pool is taken from the address space of the PE-CE link. Otherwise, you would be required to configure a static IP route to null 0 covering the IP address range of the NAT pool in CS VRF and announce the route to the CS router through PE-CE routing protocol in order to enable the routing of return packets

In NAT scenarios, Cisco IOS creates more detailed translation entries when a route-map rather than an access-list is used with the ip nat command

Configure the interfaces connecting the router ISP with the router comon servces as an outside NAT interface using the ip nat outside command

ip route vrf vpna 10.56.0.0 255.255.254.0 fa0/0

ip nat pool N_090_M 10.56.0.4 10.56.0.4 prefix-length 23

route-map map1 permit 10

match ip address SOURCE_NAT

ip nat inside source route-map map1 pool N_090_M vrf CH01RT03 overload

In order to reach the Internet destinations, the NAT between CH01RT03 VRFs and global interface connected to the Internet needs to occur on the router edge for all CH01RT03 with private IP addresses. Public subnet used in translation will be updated by means of eBGP routing protocol to the neighbor Internet gateway (router ISP)or any other routing u may use, so that the return traffic will find the way back to the CH01RT03 or MPLS network as well. edge router will then translate addresses back to the original private IP addresses, and then forward the traffic to the appropriate vrf/VPNs.

The Internet Gateway is reachable over the global (non-VRF) interface and doesn't have any knowledge of vrf/VPNs

Configure a static IP route covering the NAT pool that is already used for accessing common services in the global routing table using the ip route network netmask interface command. Point this route to a Null0 interface and announce it to the router ISP via EBGP using the network network mask netmask BGP command. This way the routing of return packets from the Internet is enabled

There must be an exact match between the static route to Null 0 interface and the NAT pool

for outside traffic configure static route for the vrf u have defualt route with global option Use the ip route vrf name default-route mask next-hop command with global keyword option and use the IP address of the Internet gateway as the next-hop IP address

ip route 10.56.0.4 255.255.255.255 Null0

ip route vrf CH01RT03 0.0.0.0 0.0.0.0 1 [next-hop] global

i wish this will help u

good luck

and if helpful Rate

yves.haemmerli Thu, 10/09/2008 - 00:41

Hi Marwanshavi,

Thank you very much for your suggestion, which is maybe too complex to solve a simple NAT problem I think. I am not in an environment with and Internet access from a router with multiple VRF (my router is not a PE router). My environment is actually simple : In a data center, I configured multiple independent VRFs in the 6500 chassis, in order to logically create different network modules. In ONE vrf only, as I would do with a physical router, I just want to NAT the traffic comming from one interface to the other interface (on the same VRF). And it work actually, I can see the translations done by the router (vrf). The "only" problem I encounter is that the VRF does not respond to the first ARP request sent by the target system. In other words, the sequence is as follows :

1. A packet arrives on the "inside" interface

2. The VRF creates a translation, the source IP address is changed

3. The NATed packet arrives on the target system on the "outside" interface

4. The target system sends an ARP to the VRF to resolve the NAT address

5. The VRF dos NOT respond to this ARP request

Hope this clarifies my question

Thank you for your support

Yves Haemmerli

Actions

This Discussion