NAT between 2 VRF instances

Unanswered Question
Dec 14th, 2008

On my cisco 7201 I have 2 separate networks connected to it using vlan subinterfaces of G0/0. Each network is confined to its vrf instance. Now I need to add a server that should be accessible from both and does not break the separation. I thought that the NAT would be the most logical solution but having hard time making it work.

This whitepaper http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html almost exactly repeats a config I have been working on with the exception of vlan subinterfaces that I use. The problem starts when I send packets to a NAT-enabled interface: they are not being transfered to a corresponding interface. Debug ip nat registers a translation but as far as my monitoring of egress port goes there is not a packet going from there. Is it me being dumb or a hard/software fault.

If my memory serves me correctly I have 12.4XD10 advipservice firmware. Sorry for not showing you any configs, it's a production router and I was able to play with it for a very limited time and didn't think about storing any samples.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Giuseppe Larosa Sun, 12/14/2008 - 09:15

Hello Victor,

use the following as a reference

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_mpls_vpns_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1046889

but be aware of the following restriction

Restrictions for Integrating NAT with MPLS VPNs

Inside VPN to VPN with NAT is not supported.

You should have the server connected to a third link see Figure 1

Hope to help

Giuseppe

v.shustov Mon, 12/15/2008 - 00:27

Thanks Giuseppe

The link you gave helped big deal. It appeared that vrf routing table did not point to the address where the server resides. Now everyting works as it should.

Actions

This Discussion