03-08-2006 02:59 PM
I have a test vrf setup, and am attempting to provide Internet access into it.
Ref: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gtnatvi.htm
I've enabled nat on Interface that has Internet Connectivity:
!
interface FastEthernet0/0.22
description NAT INT for VRF TEST
encapsulation dot1Q 22
ip vrf forwarding TEST10
ip address 203.149.77.38 255.255.255.252
ip nat enable
no snmp trap link-status
!
Created NAT pool
ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252 add-route
ip nat source list 1 pool NAT vrf TEST10 overload
ACLs for CE's within vrf TEST10
access-list 1 permit 10.0.0.0 log
access-list 1 permit 192.168.1.0 0.0.0.255 log
And then tried to add default route for vrf TEST10 of interface FastEthernet0/0.22, but am denied:
#ip route vrf TEST10 0.0.0.0 0.0.0.0 fastEthernet 0/0.22
% For VPN routes, must specify a next hop IP address if not a point-to-point interface
I've tried adding the other side of the nat interfaces /30 (203.149.77.37) - but CE's attached to vrf TEST10 cannot get to the Internet?
Any suggestions are greatly appreciated.
Regards,
MB
03-08-2006 03:27 PM
Hi,
I would try something like this:
! you need to create the VRF on the NAT-PE router
ip vrf TEST10
rd ...
route-target import ....
route-target export ....
!
ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252
ip route 203.149.77.45 255.255.255.252 null0
!
ip route vrf TEST10 0.0.0.0 0.0.0.0 fast0/0.22 203.149.77.37 global
!
interface fast0/0.22
! since this interface belongs to the global routing table, do not place it in a VRF
encapsulation dot1Q 22
ip address 203.149.77.38 255.255.255.252
no snmp trap link-status
ip nat outside
!
router bgp
address-family ipv4 vrf TEST10
redistribute static
default-information originate
!
! do the following on each of your links to other Ps and PEs
interface
ip nat inside
!
ip nat inside source list 1 pool NAT vrf TEST10 overload
!
access-list 1 permit 10.0.0.0 log
access-list 1 permit 192.168.1.0 0.0.0.255 log
Hope that helps - pls rate the post if it does.
Paresh
03-08-2006 04:32 PM
Thanks for the response - Any reason not to use "ip nat enable"?
This PE has two FE feeds - One that connects to the rest of the network and runs mpls(So reluctant to enable nat on this interface), the other runs dot1q, and was to be used exclusively for Internet Access for VRF's (Each vrf being assigned there own dot1q Int to allow for easier accounting of Internet traffic used) - Hence the reason I wanted to just use "ip nat enable" on the dot1q Ints, and then assign them to vrfs for Internet Access.
Is the above do-able?
03-08-2006 05:11 PM
I just prefer to use 'ip nat [inside|outside]' - old habits dies hard ! But I believe that you could use either.
What you are after is certainly do-able. Take my config and instead of configuring 'ip nat inside' on the MPLS interfaces, configure it on the dot1q interfaces...
Hope that helps - pls rate the post if it does.
Paresh
03-08-2006 05:51 PM
Thanks - So I'm guessing I would need to enable "ip nat outside" on the other side(i.e. Another Router) of the dot1q /30? Pretty sure the IOS on that router doesn't support nat(Service Provider).
03-08-2006 06:34 PM
Not really. You would configure 'ip nat outside' on the interface to the Internet on the same router (in my config, I had it on fast0/0.22)
Hope that helps - pls rate the post if it does.
Paresh
03-08-2006 07:47 PM
Ok - This is what I currently have:
!
interface FastEthernet0/0.22
description NAT INT for VRF TEST to ERT02-BNE
encapsulation dot1Q 22
ip address 203.149.77.38 255.255.255.252
ip nat outside <-- Also tried "ip nat inside"
no snmp trap link-status
!
ip route 203.149.77.44 255.255.255.252 Null0
ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global
ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252
ip nat source list 1 pool NAT vrf TEST10 overload
access-list 1 permit 10.0.0.0 log
access-list 1 permit 192.168.1.0 0.0.0.255 log
Attempting to get(trace/ping) to any address not within the vrf TEST10 (From device in vrf TEST10) results in timeout at 203.149.77.38 router.
Trace'ing with a source IP of 203.149.77.38 to an Internet address is successful
#sh ip route vrf TEST10
Routing Table: TEST10
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 203.149.77.37 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.0.2/32 is directly connected, Virtual-Access7
B 10.0.3.0/24 [200/0] via 203.149.76.248, 3w0d
C 10.0.0.0/24 is directly connected, Loopback10
B 10.0.6.0/24 [200/0] via 203.149.76.250, 1w5d
B 10.0.7.0/24 [200/0] via 203.149.76.247, 1w4d
B 10.0.5.0/24 [200/0] via 203.149.76.249, 3w6d
U 192.168.1.0/24 [1/0] via 10.0.0.2
S* 0.0.0.0/0 [1/0] via 203.149.77.37, FastEthernet0/0.22
03-08-2006 08:26 PM
John,
Which of your interface goes to the Internet ?
Paresh
03-08-2006 08:32 PM
interface FastEthernet0/0.22 has Internet Access.
03-08-2006 08:43 PM
Then that interface should be configured as the outside NAT interface.
Another Q: which interface belongs to the TEST10 VRF ? That interface should be configured as the inside NAT interface.
Paresh
03-08-2006 08:49 PM
Ahh - There's my problem - TEST10 vrf are all DSL services(L2TP vpdn's) being placed into vrf TEST10 via Radius reply attribute...so they are all virtual-access ints dynamically created once the authenticate.
03-08-2006 09:20 PM
Ok.. so make sure that you have 'ip nat inside' configured on the virtual-template and this should work.
Paresh
03-08-2006 09:43 PM
Thanks for the assistance thus far Paresh - Greatly apperciated....I had already tried that...unfortunately still no joy:
interface FastEthernet0/0.22
description NAT INT for VRF TEST to ERT02-BNE
encapsulation dot1Q 22
ip address 203.149.77.38 255.255.255.252
ip nat outside
no ip virtual-reassembly
no snmp trap link-status
interface Virtual-Template1
description L2TP-1 Termination
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly
qos pre-classify
ppp authentication chap callin
!
ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global
ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252
ip nat source list 1 pool NAT vrf TEST10 overload
access-list 1 permit 10.0.0.0 log
access-list 1 permit 192.168.1.0 0.0.0.255 log
Rebooted the test DSL router, but it still cannot get beyond the vrf.
If I do a:
#sh ip nat translations vrf TEST10
or
#sh ip nat translations
Should I be seeing something? At the moment there is nothing.
03-08-2006 10:09 PM
What source address are you pinging from ?
Paresh
03-08-2006 10:17 PM
Directly from ADSL router that is assinged 10.0.0.2 (WAN). I have also tried pinging with source IP of 192.168.1.1 (ADSL Router LAN IP)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: