I actually figured this out this morning. There were two issues here.
1. When the tunnel interface needs to be in a vrf you not only need the "vrf forwarding name" command you also need the "vrf tunnel name" command. One tells the tunnel which vrf the packets are input from, the other which vrf the packets are ouput to.
2. To get the NAT to work I actually needed the "ip nat outside" on the tunnel interface as well.
... View more
Short answer...it depends.
I'm assuming your setup is Inside nets -> 0/0 Router 0/1 -> ASA ->Internet based on your description. If that's the case:
You can configure an in-to-out zone pair and your service policy to inspect and/or pass the traffic. Those two words are the key...inspect and pass. An inside host's traffic hits 0/0, and one of two things happens based on that policy.
-If the service policy says that traffic gets inspected, it gets passed on to 0/1 and on to the ASA and (if the ASA's rules allow) to its destination. The returning traffic comes back through the ASA, hits 0/1, gets inspected, and is passed to 0/0 and ultimately your host.
-If the traffic is passed (but not inspected) it gets passed on to 0/1 and out to the ASA and (again if it's allowed based on the ASA's rules) on to the destination. The returning traffic traffic this time comes back through the ASA, hits 0/1, and is dropped. It wasn't inspected on its way out so there's no record of the source traffic and since there's no out-to-in pair there's no policy to process it.
To get traffic that's inspected out and back, you need one zone pair and one policy. To get traffic that's simply passed out and back, you two zone pairs and two policies.
Hope that makes sense. One of Cisco's explanations of it is here:
... View more
I've got several internal networks with overlapping IP schemes so we stuffed each into their own VRF so they could get out our 2911 router and into the outside world. We have a couple /28's and I can get everyone out onto the internet with each network's traffic NAT'd through it's own external IP.
The twist is we're using a cloud service for internet content filtering and we want to build the GRE's for that traffic off the router as well. For policy and reporting reasons the tunnels need to originate from their own external IP. I cannot seem to get the tunnels to come up and route to the destination. They show up (as up as a tunnel interface can show) but I can't ping the inside IP of the destination. So I am doing something wrong but I search as I may I can't seem to come up with a solution.
I have been at this piece for about 3 days now and can't seem to crack it. I'm posting a sketch and the relevant parts of the router's config. Anyone with suggestions or questions please chime in. As much as I've taught myself the last couple weeks it apparently isn't enough to bring it all together.
... View more
Sure! Couple updates though...
I kept pounding at it this weekend and think I have a working model. Right now there's just one ASA being NAT'ed out and only one set of GRE's built (the one for the same environment). I don't know if what I have is the best way to do this. Also not entirely sure this won't all collapse once I start putting the other two environments on their VRF's. I did manage to figure out how to get the VRF's out onto the internet without the use of the SHARED VRF and without BGP.
I wouldn't mind suggestions on how subinterfaces on the outside interface would look. I'm attaching a quick sketch of what I think this will all look like when it's live and I'll have a new challenge that it might solve. We have two /28's at our HQ. When this is all done our Production environment and our WiFi environment will need to NAT a pair of IP's in one /28 and our development and test environments will NAT to a pair in the other.
Sorry if this is info overload. Attached is the current running of the 2911 and the sketch. I know there are some things I need to clean up since I'm not using BGP, and I still need to start EIGRP on the VRF's so I can ditch the static routes, but this is where I am.
... View more
tl;dr: I have 2911 with a single outside interface and its own external IP address on it. I have 3 VRFs one this router, each VRF has an ASA then a L3 switch. I have a /28 from my ISP. How can I NAT each VRF to it's own seperate external IP?
My boss might be asking the impossible but there must be a way to pull this off. I've taught myself quite a bit these last couple days but I've hit a snag. I have a lot of experience with ASA's and switches but not as much with routers.
We have a production, development, and testing environment that all have their own firewall on our edge. Behind them is a L3 switch that handles all the internal routing/switching. All three have the exact same VLAN and IP scheme.
Our new internet content filtering service needs GRE's built to their cloud. What the higher ups are thinking is that we should be able to put a router on the edge and tuck all three environments behind the same router.
What I've mocked up so far is a 2911 with a VRF for each environment and one more so they can share the connection out to the internet. I've got BGP working between them (that's how I got them the route out) and I can NAT overload the outside interface and get hosts from inside the VRF's out onto the internet using the IP of the outside interface.
My immediate problem is how can I NAT overload each VRF to it's own external IP? I have a /28 from the ISP to play with. I can't just translate an external IP to a firewall's outside IP and then run PAT at the firewall either because when I start building and trying to pump traffic through the GRE's the traffic needs to have it's original IP address.
I've been browsing the forum for three days now. I don't necessarily need someone to detail for me how to do this (though you're more than welcome to!). I at least need some guidance on what concept(s) to research to get me going.
... View more