NAt overload does not work simultaneously on two VRF subinterfaces

Unanswered Question
Nov 18th, 2008
User Badges:




Problem description:


We are running NAT overload over two Sub interfaces, each with another VRF.



When the customer wants to start an ftp or another TCP session, the NAT translation doesn't run on both interfaces simultaneous.

When the first ftp transmission is finished the second starts transmitting when the first connection is lost.


NAT works allright independent of the IOS that is inatalled but not through two Virtual interfaces at the same time.

Yesterday I tried to start a simultanious ping over the two interfaces, this also didn't work.

It looks like there is only one NAT process accepted.




Server Side

!

interface GigabitEthernet0/0.103

description GigabitEthernet0/0.103 dot1q vlan id=103 (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.190.236.253 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.104

description GigabitEthernet0/0.104 dot1q vlan id=104. (C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 13.17.12.253 255.255.255.0

ip nat outside

ip virtual-reassembly

-----------------------------------------------------------------------------------------------

!

interface GigabitEthernet0/1.103

description GigabitEthernet0/1.103 dot1q vlan id=103. (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.137.195.42 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1.104

description GigabitEthernet0/1.104 dot1q vlan id=104. (C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 10.137.197.42 255.255.255.252

ip nat inside

ip virtual-reassembly

!

ip nat inside source list 1 interface GigabitEthernet0/0.103 vrf V596:VRF-c2000-core overload

ip nat inside source list 2 interface GigabitEthernet0/0.104 vrf V597 :VRF-c2000-specials overload


access-list 1 remark DRIE VRF-CORE

access-list 1 permit 192.168.201.0 0.0.0.255

access-list 1 remark HILVRF-CORE

access-list 1 permit 192.168.211.0 0.0.0.255

access-list 2 remark DRIE VRF-SPECIALS

access-list 2 permit 192.168.202.0 0.0.0.255







access-list 2 remark HIL VRF-SPECIALS

access-list 2 permit 192.168.212.0 0.0.0.255






Customer side



IOS: "flash:c2800nm-spservicesk9-mz.124-12.bin"


interface GigabitEthernet0/0.103

description Gigabitethernet0/1.103 dot1q vlan id=103. (C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 192.168.212.254 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/0.104

description Gigabitethernet0/1.104 dot1q vlan id=104. (C2000/SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 192.168.202.254 255.255.255.0

no cdp enable

!

interface GigabitEthernet0/1.103

description Gigabitethernet0/1.103 dot1q vlan id=103.(C2000-CORE)

encapsulation dot1Q 103

ip vrf forwarding V596:VRF-c2000-core

ip address 10.137.195.18 255.255.255.252

no cdp enable

!

interface GigabitEthernet0/1.104

description Gigabitethernet0/1.104 dot1q vlan id=104.(C2000-SPECIALS)

encapsulation dot1Q 104

ip vrf forwarding V597 :VRF-c2000-specials

ip address 10.137.195.18 255.255.255.252

no cdp enable



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
desensitized Tue, 11/18/2008 - 19:01
User Badges:

The IP address you set to the subinterfaces 1.103 and 1.104 for the customer side are the exact same. Both are 10.137.195.18 which is unacceptable in a network.

usmanshariff2008 Wed, 11/19/2008 - 00:52
User Badges:

Hi,

None of the internet Ip addresses assigned to the interfaces are correct. I have just given fake ip adresses as this is a public forum. I have seen to it that there is not ip address conflict or any other issue with the IP addresses.


the NAT works fine as I have mentioned earlier. But only issue is not on both the VRF interfaces simultaneously.

So just want to know if there is any limitation on the NAT processes.

Giuseppe Larosa Wed, 11/19/2008 - 13:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Usman,

give a look at the following document


http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_mpls_vpns_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1046889


I see in the steps the configuration of static routes in VRF. These can play a role for the feature.


Hope to help

Giuseppe



Actions

This Discussion