NAT between 2 VRF instances

Unanswered Question
Dec 14th, 2008
User Badges:

On my cisco 7201 I have 2 separate networks connected to it using vlan subinterfaces of G0/0. Each network is confined to its vrf instance. Now I need to add a server that should be accessible from both and does not break the separation. I thought that the NAT would be the most logical solution but having hard time making it work.

This whitepaper http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html almost exactly repeats a config I have been working on with the exception of vlan subinterfaces that I use. The problem starts when I send packets to a NAT-enabled interface: they are not being transfered to a corresponding interface. Debug ip nat registers a translation but as far as my monitoring of egress port goes there is not a packet going from there. Is it me being dumb or a hard/software fault.

If my memory serves me correctly I have 12.4XD10 advipservice firmware. Sorry for not showing you any configs, it's a production router and I was able to play with it for a very limited time and didn't think about storing any samples.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Giuseppe Larosa Sun, 12/14/2008 - 09:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Victor,


use the following as a reference


http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_mpls_vpns_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1046889


but be aware of the following restriction


Restrictions for Integrating NAT with MPLS VPNs


Inside VPN to VPN with NAT is not supported.


You should have the server connected to a third link see Figure 1


Hope to help

Giuseppe


v.shustov Mon, 12/15/2008 - 00:27
User Badges:

Thanks Giuseppe

The link you gave helped big deal. It appeared that vrf routing table did not point to the address where the server resides. Now everyting works as it should.

Actions

This Discussion