Strange NAT aware VRF Issue

Unanswered Question
Aug 16th, 2009

Hi...

I've got a topology like so.

[CE] -> [PE] -> [P] -> [Internet]

I've set up an Internet Gateway for the CE which is part of vrf NSTEST.

Two questions about the Internet Gateway set up on the PE.

1/ When I use a nat pool (/30), I can browse the Internet fine.

ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload

When I use a Loopback interface (so we can use a /32), browsing no longer works but I can ping anything on the Internet fine.

ip nat inside source list NSTEST-NAT-ACL interface Loopback97 vrf NSTEST overload

What's up with this???

On the P router, we have a static route for the nat pool back through the 'nat outside' interface of the PE router. Likewise when I implemented using the loopback ip as the public IP, I did this also, but can't browse the Internet.

Config looks like this:

--------------------------------------------------------

PE Config:

--------------------------------------------------------

interface GigabitEthernet0/0.1

description Router / MPLS Backbone

encapsulation dot1Q 1 native

ip address A.B.C.D X.X.X.X

ip nat inside

ip flow ingress

mpls ip

!

interface GigabitEthernet0/0.20

description VPN Internet Gateway

encapsulation dot1Q 20

ip address 172.16.76.10 255.255.255.248

ip nat outside

ip flow ingress

ip flow egress

!

ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.20 172.16.76.9 global

ip route 210.15.226.136 255.255.255.252 Null0

!

ip nat pool NSTEST-NAT-POOL 210.15.226.137 210.15.226.137 netmask 255.255.255.252

ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload

!

ip access-list standard NSTEST-NAT-ACL

permit 192.168.0.0 0.0.255.255

!

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination X.X.X.X 5000

ip flow-export destination X.X.X.X 5000

--------------------------------------------------------

P Config:

--------------------------------------------------------

interface Vlan1

description Router / MPLS Backbone

bandwidth 10000000

ip address A.B.C.D X.X.X.X

no ip redirects

no ip mroute-cache

load-interval 30

tag-switching ip

!

interface Vlan20

description VPN Internet Gateway

ip address 172.16.76.9 255.255.255.248

no ip redirects

load-interval 30

!

ip route 210.15.226.136 255.255.255.252 Vlan20 172.16.76.10

When I remove the nat pool and use the loopback ip for nat, I can ping IP's on the internet, but can't access any services like HTTP, etc...

Added loopback and NAT rule and removed NAT rule relating to the nat pool on PE:

interface Loopback97

ip address 210.15.231.33 255.255.255.255

!

ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload

Added static route on P to route loopback ip over 'nat outside' interface on PE:

ip route 210.15.231.33 255.255.255.255 Vlan20 172.16.76.10

Why am I able to browse when I use a NAT-POOL but not when I want to use a single /32?

2/ The second issue relates to the collection of flows.

When I do a "sh ip cache flow", I can see flows in one direction only and with the public NAT IP as the source IP. For billing purposes we need to see the public NAT IP in the destination fields so we can count their download usage.

#sh ip cache flow | inc 210.15.226.137

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/0.1 210.15.226.137 Gi0/0.20* 203.10.110.102 01 0000 0800 549

I have both "ip flow ingress" and "ip flow egress" on the nat outside interface on the PE (Gi0/0.20) so not sure why I'm not seeing bidirectional flows. I'm thinking that a NAT lookup/translation is performed first on the return traffic through the PE (Gi0/020) before flows are process/captured - hence why I don't see any flows going to the public NAT IP. Is this correct?

Any ideas how to capture flows for these public IP's in the NAT POOL? Do I need to capture flows at the P router on Vlan 20 before it gets translated back to it's private IP??

Thanks.

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Fri, 08/21/2009 - 10:14

Symptoms:

Case 1: All NAT multicast data packets are processed by software.

Case 2. Spurious memory access occurs.

Conditions:

Case 1. NAT with static port entry, or dynamic overload configuration.

Case 2. Configure ip nat dynamic nat rule with an undefined NAT pool.

Workaround:

Case 1: Configure NAT as static entry without port, or dynamic non-overload.

Case 2: Configure with defined pool.

Actions

This Discussion