VRF Aware NAT

Unanswered Question
Jun 9th, 2010
User Badges:

I cannot get NAT working between an inside and outside interface that are part of the same VRF. I cannot use a NAT pool because I am using a DSL modem that only allows one public IP address. The outside interface is ethernet, and the inside interface is a tunnel. Here is my configuration:


ip vrf PUBLIC
!

ip inspect log drop-pkt
ip inspect name LOCALFW tcp
ip inspect name LOCALFW udp
!

interface Tunnel0
ip vrf forwarding PUBLIC
ip address 172.24.1.1 255.255.255.252
ip nat inside
no ip virtual-reassembly
tunnel source Loopback0
tunnel destination 10.145.3.3
!
interface FastEthernet0/0
ip vrf forwarding PUBLIC
ip address 65.41.216.177 255.255.255.224
ip nat outside
ip inspect LOCALFW in
no ip virtual-reassembly
duplex auto
speed auto
!

ip route vrf PUBLIC 0.0.0.0 0.0.0.0 65.41.216.161
ip route vrf PUBLIC 172.24.2.0 255.255.255.224 172.24.1.2
!

access-list 10 permit 172.24.2.0 0.0.0.31 log
!
ip nat source list 10 interface FastEthernet0/0 vrf PUBLIC overload
!
access-list 10 permit 172.24.2.0 0.0.0.31 log


#sho ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  FastEthernet0/0
Inside interfaces:
  Tunnel0
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 5] access-list 10 interface FastEthernet0/0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0


Does anyone have any ideas why NAT is not working?


Thanks for your help.


Bill Anderson

Technical Services Group
Supporting the Department of Economic Development
Information Technology Services Division
State of MO Office of Administration

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gatlin007 Wed, 06/09/2010 - 15:46
User Badges:
  • Silver, 250 points or more

Do you have an RD (route-distinguisher) for your PUBLIC vrf?  I don’t notice it in your config.  If not you should have one.

I know this sounds like witchcraft but I’ve run across some IOS revisions were a standard ACL won’t work for VRF aware NAT.  Try using an extended ACL; for example:

Access-list 100 permit ip 172.24.2.0 0.0.0.31 any

If that doesn’t work try a route-map that references the extended ACL. I know this sounds odd but I’ve run into different IOS revisions where this approach is nescesarry.




Christopher Gatlin
http://travelingtech.net

gatlin007 Wed, 06/09/2010 - 15:51
User Badges:
  • Silver, 250 points or more

Also enable ip virtual-reassembly on the affected intefaces as it seems NAT may require this for interfaces with VRF membership.

Actions

This Discussion

Related Content