cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1841
Views
0
Helpful
4
Replies

Nat NVI not working?

Justin Westover
Level 1
Level 1

I have two routers that are connected to each other via a DMVPN. The topology looks like this: R1---->R2----(DMVPN CLOUD)---R3----->R4.

The link between R1 and R2 uses OSPF and then networks are advertised from R1 to R2 via BGP. The same happens between R3 and R4. Within the DMVPN cloud I am running EIGRP, I have mutual redistribution between BGP and EIGRP on R2 and R3. R1 and R4 can see all the relavant networks so no big deal there.

The problem is, I am trying to enable NAT on R1 and R4, I want private subnets (subnets created using Loopbacks) to be translated to the interface IP on R1 as they go outbound towards R4's public IP (IP used to connect R4 to R3). I am using NVI to do this and it should be a fairly straight forward setup but I guess I'm missing something.

The on cavat here is on R1 and R4 I have a VRF. I'm not trying to nat between VRFs, I am only using the VRF to separate this Network design and its routes from other routes I have in the global table, no big deal there. So, what am I missing here?

Here is my relavant configuration: 

R4:

ip vrf SITEC

!

interface Loopback170

description PRIVATE SUBNET

ip vrf forwarding SITEC

ip address 10.1.1.1 255.255.255.0

ip nat enable

!

int f0/0.502

description CONNECTION TO R2

encapsulation dot1Q 502

ip vrf forwarding SITEC

ip address 100.1.1.1 255.255.255.0

ip nat enable

ip ospf 100 area 0

!

router ospf 100 vrf SITEA

router-id 150.4.4.4

!

router bgp 100

address-family ipv4 unicast vrf SITEC

neighbor 100.1.1.10 remote-as 65000

network 222.1.1.0 mask 255.255.255.0 (NOT MY REAL PUBLIC IP, THIS IS JUST IN A LAB)

!

ip access-list standard 50

10 permit 10.1.1.0 0.0.0.255

!

ip nat source list 50 interface f0/0.502 vrf SITEC overload

-------------------------------------------------------------------------------------------------------------------------------------------------

R1:

ip vrf SITEA

!

interface Loopback170

description PRIVATE SUBNET

ip vrf forwarding SITEA

ip address 10.1.1.1 255.255.255.0

ip nat enable

!

int f0/0.500

description CONNECTION TO R2

encapsulation dot1Q 500

ip vrf forwarding SITEA

ip address 170.1.1.100 255.255.255.0

ip nat enable

ip ospf 100 area 0

!

router ospf 100 vrf SITEA

router-id 150.1.1.1

!

router bgp 100

address-family ipv4 unicast vrf SITEA

neighbor 170.1.1.10 remote-as 65000

network 220.1.1.0 mask 255.255.255.0 (NOT MY REAL PUBLIC IP, THIS IS JUST IN A LAB)

!

ip access-list standard 50

10 permit 10.1.1.0 0.0.0.255

!

ip nat source list 50 interface f0/0.500 vrf SITEA overload

-------------------------------------------------------------------------------------------------------------------------

My Tests ON R1:

R1#ping vrf SITEA 100.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:

!!!!!

----------------------------------------------------------------------------------------------------------------------------

My Tests ON R4:

R4#PING VRF SITEC 170.1.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 170.1.1.100, timeout is 2 seconds:

!!!!!

R4#PING VRF SITEC 170.1.1.100 source lo170

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 170.1.1.100, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

.....

Success rate is 0 percent (0/5)

R4#sh ip nat nvi tran

R4#sh ip nat nvi translations

R4#

4 Replies 4

Neeraj Arora
Level 3
Level 3

Hi Justin,

try the following command "ip nat source list 50 interface f0/0.502 vrf SITEC match-in-vrf overload"

See if this makes a difference

Hope it helps

Neeraj

I don't have that syntex as an option, I did try. So otherwise does the configuration look correct?

my bad, see if this works:

interface Loopback170

no ip nat enable

ip nat inside

!

int f0/0.500

no ip nat enable

ip nat outside

ip nat inside source list 50 interface f0/0.502 vrf SITEC match-in-vrf overload

Ok, so I changed my configuration some. Now the topology is like this:

Sw1----->R1----->R2--(DMVPN)--R3---->R4----->Sw2

The two switches are multilayer.

So I'm Natting on R1 and R4 and i'm sourcing the traffic from Sw1 or Sw2.

I am natting the network from Sw1 to the interface on R1 that connects to R2. I am also natting the network from Sw2 to the interface IP on R4 that is connected to R3.

My problem now is that I can ping on Sw2 to the public IP on R1 no problem. But I can't ping from Sw1 to the public IP of R4.

R1 Config:

interface FastEthernet0/0

no ip address

duplex auto

speed auto

service-policy output WFQ

hold-queue 1000 out

!

interface FastEthernet0/0.130

description CONNECTION TO SW1

encapsulation dot1Q 130

ip vrf forwarding SITEA

ip address 130.1.1.1 255.255.255.0

ip nat enable

!

interface FastEthernet0/0.146

encapsulation dot1Q 146

ip address 155.1.146.1 255.255.255.0

!

interface FastEthernet0/0.500

Description CONNECTION TO R2

encapsulation dot1Q 500

ip vrf forwarding SITEA

ip address 170.1.1.100 255.255.255.0

ip nat enable

ip ospf 100 area 0

!

interface Serial0/0

no ip address

encapsulation frame-relay

!

interface Serial0/0.1 point-to-point

ip address 155.1.0.1 255.255.255.0

frame-relay interface-dlci 105  

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

ip address 155.1.13.1 255.255.255.0

!

router eigrp 100

network 150.1.1.0 0.0.0.255

network 155.1.0.0

distance eigrp 90 201

no auto-summary

!

address-family ipv4 vrf SITEA

redistribute bgp 100 metric 1000000 1 1 255 1500

network 130.1.1.0 0.0.0.255

no auto-summary

autonomous-system 1000

exit-address-family

!

router ospf 100 vrf SITEA

router-id 150.1.1.1

log-adjacency-changes

!

router bgp 100

no synchronization

bgp log-neighbor-changes

network 150.1.1.0 mask 255.255.255.0

neighbor PG peer-group

neighbor PG remote-as 100

neighbor PG ebgp-multihop 10

neighbor PG update-source Loopback0

neighbor 150.1.3.3 peer-group PG

neighbor 150.1.4.4 peer-group PG

neighbor 150.1.5.5 peer-group PG

neighbor 150.1.6.6 peer-group PG

neighbor 170.1.1.10 remote-as 65000

no auto-summary

!

address-family ipv4 vrf SITEA

neighbor 170.1.1.10 remote-as 65000

neighbor 170.1.1.10 activate

no synchronization

network 220.1.1.0

exit-address-family

!

!

!

ip http server

no ip http secure-server

ip nat log translations syslog

ip nat translation icmp-timeout 5

ip nat source list 50 interface FastEthernet0/0.500 vrf SITEA overload

!        

access-list 50 permit any

----------------------------------------------------------------------------------------------------------

R4 Config:

interface FastEthernet0/0.67

encapsulation dot1Q 67

ip address 155.1.67.6 255.255.255.0

!

interface FastEthernet0/0.140

description CONNECTION TO SW2

encapsulation dot1Q 140

ip vrf forwarding SITEC

ip address 140.1.1.6 255.255.255.0

ip nat enable

!

interface FastEthernet0/0.146

encapsulation dot1Q 146

ip address 155.1.146.6 255.255.255.0

!

interface FastEthernet0/0.502

description CONNECTION TO R3

encapsulation dot1Q 502

ip vrf forwarding SITEC

ip address 100.1.1.1 255.255.255.0

ip nat enable

ip ospf 100 area 0

service-policy input police

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 54.1.1.6 255.255.255.0

encapsulation frame-relay

frame-relay map ip 54.1.1.254 101 broadcast

!

router eigrp 100

network 150.1.6.0 0.0.0.255

network 155.1.0.0

distance eigrp 90 201

no auto-summary

!

router eigrp 1000

auto-summary

!

address-family ipv4 vrf SITEC

  redistribute bgp 100 metric 1000000 1 1 255 1500

  network 140.1.1.0 0.0.0.255

  no auto-summary

  autonomous-system 1000

exit-address-family

!

router ospf 100 vrf SITEC

router-id 150.6.6.6

log-adjacency-changes

!

router bgp 100

no synchronization

bgp log-neighbor-changes

network 54.1.1.0 mask 255.255.255.0

network 150.1.4.0 mask 255.255.255.0

neighbor PG peer-group

neighbor PG remote-as 100

neighbor PG ebgp-multihop 10

neighbor PG update-source Loopback0

neighbor 54.1.1.254 remote-as 54

neighbor 150.1.1.1 peer-group PG

neighbor 150.1.3.3 peer-group PG

neighbor 150.1.4.4 peer-group PG

neighbor 150.1.5.5 peer-group PG

auto-summary

!

address-family ipv4 vrf SITEC

  neighbor 100.1.1.10 remote-as 65000

  neighbor 100.1.1.10 activate

  no synchronization

  network 222.1.1.0

exit-address-family

!

ip forward-protocol nd

ip route 155.1.0.0 255.255.0.0 Null0

no ip http server

no ip http secure-server

!

!

ip nat log translations syslog

ip nat translation timeout 60

ip nat translation icmp-timeout 5

ip nat source list 50 interface FastEthernet0/0.502 vrf SITEC overload

!

access-list 50 permit any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: