Unable to get NAT with VRF to internet working

johnny.schultz · ‎05-29-2009

Basically what I'm trying to do is NAT our CE router's IP address to a public IP in order to provide internet access to them. The only thing special is that this is on a PE router terminating customer connections with MPLS VRFs. I need to translate to a secondary IP (public) on the ethernet interface which is why I have a pool with a single IP instead of an interface. Here is the relevant configuration.

interface Looopback1

ip nat inside

interface GigabitEthernet0/3

ip nat outside

ip nat pool VRF_NAT x.x.x.x x.x.x.x netmask 255.255.255.252

ip nat inside source route-map VRF_RM pool VRF_NAT vrf GCF01 overload

!

access-list 151 deny ip 177.177.176.0 0.0.0.3 10.0.4.0 0.0.0.255

access-list 151 deny ip 177.177.176.0 0.0.0.3 10.0.5.0 0.0.0.255

access-list 151 permit ip 177.177.176.0 0.0.0.3 any

!

route-map VRF_RM permit 10

match ip address 151

(x.x.x.x) is a single public IP address assigned as a secondary IP on the gi0/3 interface

With this configuration nothing matches the route map and no translations occur. When I change the ip nat inside source command to point to the loopback interface instead of the pool, I get some translations, but it is not translating IPs of the CE router. The CE router interface is 177.177.176.2 and I need that IP translated out of the VRF to the public IP. Any help would be appreciated. Thanks

-Johnny Schultz

Sanjeewa Alahakone · ‎06-01-2009

Hi Johnny,

Can you please follow the configuration as per the doucumentation.

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_mpls_vpns_ps6350_TSD_Products_Configuration_Guide_Chapter.html

also send us the

a. show ip nat translation

b. show ip route for vrf_rm

Please copy sanjeewa@cisco.com as I dont follow this mailer often.

johnny.schultz · ‎06-01-2009

Sanjeewa,

I will review the documentation you suggested and then apply that to my config. The show ip nat translation is empty, I was not able to get any packets to match the route map. The name of the VRF that I am working with is GCF01, and the name of the route map used to match packets for the nat statement is VRF_RM. Here is the output of the commands you requested:

lax_router7206_2#sh ip nat trans

lax_router7206_2#sh ip route vrf GCF01

Routing Table: GCF01

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.4.254 to network 0.0.0.0

66.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S 66.x.x.x/26 [1/0] via 10.0.5.1

S 66.x.x.x/27 [1/0] via 10.0.5.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

S 10.0.4.0/24 [1/0] via 10.0.4.254

C 10.5.0.0/30 is directly connected, Loopback1

177.177.0.0/30 is subnetted, 1 subnets

B 177.177.176.0 [20/0] via 177.177.177.1, 2d17h

S* 0.0.0.0/0 [1/0] via 10.0.4.254

lax_router7206_2#

Thank you very much for your reply and your assistance.

Johnny Schultz

johnny.schultz · ‎06-01-2009

Sanjeewa,

After reviewing the document you suggested, I have changed the configuration to the following. The netpro forum does not appear to be working because I can't post a reply there. I have included the relevant configuration:

interface Loopback1

ip vrf forwarding GCF01

ip address 10.5.0.1 255.255.255.252

interface GigabitEthernet0/3

ip address 66.x.x.x 255.255.255.0 secondary

ip address 10.0.5.17 255.255.255.0

ip policy route-map VRF

ip route vrf GCF01 0.0.0.0 0.0.0.0 GigabitEthernet0/3 10.0.4.254

ip nat pool VRF_NAT 66.x.x.x 66.x.x.x netmask 255.255.255.0

ip nat inside source list 1 pool VRF_NAT vrf GCF01 overload

access-list 1 permit 177.177.176.0 0.0.0.3

lax_router7206_2#sh ip nat trans

lax_router7206_2#sh ip nat trans vrf GCF01

lax_router7206_2#sh ip route vrf GCF01

Routing Table: GCF01

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.4.254 to network 0.0.0.0

66.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

S 66.x.x.x/26 [1/0] via 10.0.5.1

S 66.x.x.x/27 [1/0] via 10.0.5.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

S 10.0.4.0/24 [1/0] via 10.0.4.254

C 10.5.0.0/30 is directly connected, Loopback1

177.177.0.0/30 is subnetted, 1 subnets

B 177.177.176.0 [20/0] via 177.177.177.1, 2d19h

S* 0.0.0.0/0 [1/0] via 10.0.4.254, GigabitEthernet0/3

lax_router7206_2#

I'm generating traffic from the CE router at 177.177.176.2 and nothing appears to match the ACL so nothing gets translated. Do I need the "ip nat inside" and "ip nat outside" commands? Can you tell me what I'm missing? Thank you.

Johnny Schultz

WilliamJohnson80234 · ‎09-12-2019

If you are using a router, then try to obtain IP and reconfigure it once again and try, I was also trying the same and I have figured out it be a configuration issue of the router, so if you are using a netgear router you can resolve the NetGear Router Configuration Issue in order to fix this.