Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ip nat enable + default route for VRF

I have a test vrf setup, and am attempting to provide Internet access into it.

Ref: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gtnatvi.htm

I've enabled nat on Interface that has Internet Connectivity:

!

interface FastEthernet0/0.22

description NAT INT for VRF TEST

encapsulation dot1Q 22

ip vrf forwarding TEST10

ip address 203.149.77.38 255.255.255.252

ip nat enable

no snmp trap link-status

!

Created NAT pool

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252 add-route

ip nat source list 1 pool NAT vrf TEST10 overload

ACLs for CE's within vrf TEST10

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

And then tried to add default route for vrf TEST10 of interface FastEthernet0/0.22, but am denied:

#ip route vrf TEST10 0.0.0.0 0.0.0.0 fastEthernet 0/0.22

% For VPN routes, must specify a next hop IP address if not a point-to-point interface

I've tried adding the other side of the nat interfaces /30 (203.149.77.37) - but CE's attached to vrf TEST10 cannot get to the Internet?

Any suggestions are greatly appreciated.

Regards,

MB

19 REPLIES
Purple

Re: ip nat enable + default route for VRF

Hi,

I would try something like this:

! you need to create the VRF on the NAT-PE router

ip vrf TEST10

rd ...

route-target import ....

route-target export ....

!

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252

ip route 203.149.77.45 255.255.255.252 null0

!

ip route vrf TEST10 0.0.0.0 0.0.0.0 fast0/0.22 203.149.77.37 global

!

interface fast0/0.22

! since this interface belongs to the global routing table, do not place it in a VRF

encapsulation dot1Q 22

ip address 203.149.77.38 255.255.255.252

no snmp trap link-status

ip nat outside

!

router bgp

address-family ipv4 vrf TEST10

redistribute static

default-information originate

!

! do the following on each of your links to other Ps and PEs

interface

ip nat inside

!

ip nat inside source list 1 pool NAT vrf TEST10 overload

!

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: ip nat enable + default route for VRF

Thanks for the response - Any reason not to use "ip nat enable"?

This PE has two FE feeds - One that connects to the rest of the network and runs mpls(So reluctant to enable nat on this interface), the other runs dot1q, and was to be used exclusively for Internet Access for VRF's (Each vrf being assigned there own dot1q Int to allow for easier accounting of Internet traffic used) - Hence the reason I wanted to just use "ip nat enable" on the dot1q Ints, and then assign them to vrfs for Internet Access.

Is the above do-able?

Purple

Re: ip nat enable + default route for VRF

I just prefer to use 'ip nat [inside|outside]' - old habits dies hard ! But I believe that you could use either.

What you are after is certainly do-able. Take my config and instead of configuring 'ip nat inside' on the MPLS interfaces, configure it on the dot1q interfaces...

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: ip nat enable + default route for VRF

Thanks - So I'm guessing I would need to enable "ip nat outside" on the other side(i.e. Another Router) of the dot1q /30? Pretty sure the IOS on that router doesn't support nat(Service Provider).

Purple

Re: ip nat enable + default route for VRF

Not really. You would configure 'ip nat outside' on the interface to the Internet on the same router (in my config, I had it on fast0/0.22)

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: ip nat enable + default route for VRF

Ok - This is what I currently have:

!

interface FastEthernet0/0.22

description NAT INT for VRF TEST to ERT02-BNE

encapsulation dot1Q 22

ip address 203.149.77.38 255.255.255.252

ip nat outside <-- Also tried "ip nat inside"

no snmp trap link-status

!

ip route 203.149.77.44 255.255.255.252 Null0

ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252

ip nat source list 1 pool NAT vrf TEST10 overload

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

Attempting to get(trace/ping) to any address not within the vrf TEST10 (From device in vrf TEST10) results in timeout at 203.149.77.38 router.

Trace'ing with a source IP of 203.149.77.38 to an Internet address is successful

#sh ip route vrf TEST10

Routing Table: TEST10

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 203.149.77.37 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.0.0.2/32 is directly connected, Virtual-Access7

B 10.0.3.0/24 [200/0] via 203.149.76.248, 3w0d

C 10.0.0.0/24 is directly connected, Loopback10

B 10.0.6.0/24 [200/0] via 203.149.76.250, 1w5d

B 10.0.7.0/24 [200/0] via 203.149.76.247, 1w4d

B 10.0.5.0/24 [200/0] via 203.149.76.249, 3w6d

U 192.168.1.0/24 [1/0] via 10.0.0.2

S* 0.0.0.0/0 [1/0] via 203.149.77.37, FastEthernet0/0.22

Purple

Re: ip nat enable + default route for VRF

John,

Which of your interface goes to the Internet ?

Paresh

New Member

Re: ip nat enable + default route for VRF

interface FastEthernet0/0.22 has Internet Access.

Purple

Re: ip nat enable + default route for VRF

Then that interface should be configured as the outside NAT interface.

Another Q: which interface belongs to the TEST10 VRF ? That interface should be configured as the inside NAT interface.

Paresh

New Member

Re: ip nat enable + default route for VRF

Ahh - There's my problem - TEST10 vrf are all DSL services(L2TP vpdn's) being placed into vrf TEST10 via Radius reply attribute...so they are all virtual-access ints dynamically created once the authenticate.

Purple

Re: ip nat enable + default route for VRF

Ok.. so make sure that you have 'ip nat inside' configured on the virtual-template and this should work.

Paresh

New Member

Re: ip nat enable + default route for VRF

Thanks for the assistance thus far Paresh - Greatly apperciated....I had already tried that...unfortunately still no joy:

interface FastEthernet0/0.22

description NAT INT for VRF TEST to ERT02-BNE

encapsulation dot1Q 22

ip address 203.149.77.38 255.255.255.252

ip nat outside

no ip virtual-reassembly

no snmp trap link-status

interface Virtual-Template1

description L2TP-1 Termination

ip unnumbered Loopback1

ip nat inside

ip virtual-reassembly

qos pre-classify

ppp authentication chap callin

!

ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252

ip nat source list 1 pool NAT vrf TEST10 overload

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

Rebooted the test DSL router, but it still cannot get beyond the vrf.

If I do a:

#sh ip nat translations vrf TEST10

or

#sh ip nat translations

Should I be seeing something? At the moment there is nothing.

Purple

Re: ip nat enable + default route for VRF

What source address are you pinging from ?

Paresh

New Member

Re: ip nat enable + default route for VRF

Directly from ADSL router that is assinged 10.0.0.2 (WAN). I have also tried pinging with source IP of 192.168.1.1 (ADSL Router LAN IP)

Purple

Re: ip nat enable + default route for VRF

Well, it's gotta nbe source from a 192.168.1.x address because of your ACL 1.

IS there any chance you being able to run a debug on that router - something like 'debug ip nat vrf' to see what is breaking ?

Paresh

New Member

Re: ip nat enable + default route for VRF

acl 1 also has 10.0.0.0:

#show access-lists 1

Standard IP access list 1

10 permit 10.0.0.0 log

20 permit 192.168.1.0, wildcard bits 0.0.0.255 log

I have the following debugging enabled, yet I see nothing in the logs when trying to get out from DSL Router:

# sh debugging

Generic IP:

IP NAT detailed debugging is on for access list 1

IP NAT VRF debugging is on

IP NAT NVI debugging is on

Silver

Re: ip nat enable + default route for VRF

Do you have routes for the 10.0.0.0 and 192.168.1.0 addresses that you are natting from in the global routing table? It is my guess that the packets are being translated but they can not move from the global routing table back to the vrf.

You might need to configure a global route for those addresses pointing to the vrf interface.

Hope this helps

Purple

Re: ip nat enable + default route for VRF

Could you post the output of 'sh ip ro vrf TEST10' ?

By the way, to match 10.0.0.0/24, you need the following ACL line:

access-list 1 permit 10.0.0.0 0.0.0.255 log

Paresh

New Member

Re: ip nat enable + default route for VRF

I have had to unfortunately put this on hold and run with a Pix for supplying Internet into vrf's....got clients that require this service asap :)

Found the following bug which may/may not relate...but it looks like it might:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsb80566&cco_product=IOS&fset=&swver=12.4&keyw=nat&target=4&train=T

I'm currently running 12.4(4)T

Thanks again for your help.

876
Views
0
Helpful
19
Replies
CreatePlease to create content