[nsp] Re: NAT for MPLS VPN

Vladimir Litovka doka at kiev.sovam.com
Mon May 19 14:33:49 EDT 2003 

Hi,

can't find, where I've troubled. Here is my config and debugging 
information:

ip vrf CC
 rd 12530:XXXX
!
interface Loopback0
 ip address 212.109.A.A 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding CC
 ip address 192.168.149.5 255.255.255.252
 ip nat inside
 tunnel source [ ... ]
 tunnel destination [ ... ]
!
interface FastEthernet0/0
 description Internet
 ip address [ ... ]
 ip nat outside
 no cdp enable
!
ip nat inside source list 2 interface Loopback0 vrf CC overload
ip route vrf CC 0.0.0.0 0.0.0.0 192.168.149.6
ip route vrf CC 212.109.X.X 255.255.255.240 212.109.Y.Y global
!
access-list 2 permit 192.168.149.0 0.0.0.255

Trying to ping:

Router#ping vrf CC 212.109.Z.Z

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.109.Z.Z, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

and looking for debug:

May 19 13:20:39.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
[3810] vrf=> CC
May 19 13:20:40.003: NAT*: s=212.109.Z.Z, d=212.109.A.A->192.168.149.1 
[29065] vrf=> CC
May 19 13:20:41.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
[3811] vrf=> CC
May 19 13:20:41.999: NAT*: s=212.109.Z.Z, d=212.109.A.A->192.168.149.1 
[29066] vrf=> CC
May 19 13:20:43.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
[3812] vrf=> CC
May 19 13:20:43.999: NAT*: s=212.109.Z.Z, d=212.109.A.A->192.168.149.1 
[29067] vrf=> CC
May 19 13:20:45.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
[3813] vrf=> CC
May 19 13:20:45.999: NAT*: s=212.109.Z.Z, d=212.109.A.A->192.168.149.1 
[29068] vrf=> CC
May 19 13:20:47.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
[3814] vrf=> CC
May 19 13:20:47.999: NAT*: s=212.109.Z.Z, d=212.109.A.A->192.168.149.1 
[29069] vrf=> CC

Everything is ok - router makes translation, remote host receives echo 
requests and sends echo replies, router receives these replies and 
translates to inside addresses. But ping itself doesn't work. Somewhere 
is stupid bug, but I can't find it :-)

Tomas Daniska wrote:

>works nice for me 
>
>3660 at 12.2(15)T2
>
>--
>
>deejay 
>
>  
>
>>-----Original Message-----
>>From: Vladimir Litovka [mailto:doka at kiev.sovam.com] 
>>Sent: 16. mája 2003 10:58
>>To: Rolands Truls
>>Cc: cisco-nsp at puck.nether.net
>>Subject: [nsp] Re: NAT for MPLS VPN
>>
>>
>>This feature was introduced in 12.2(13)T and named "NAT 
>>integration with 
>>MPLS VPNs":
>>
>>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839
>>/products_feature_guide09186a00801145f5.html
>>
>>Does anybody has successull experience with it? I can't setup 
>>it on my 
>>2691, although Feature Navigator claims that this feature 
>>supported on 
>>2600 series.
>>
>>Rolands Truls wrote:
>>
>>    
>>
>>>There is no support for NAT per VRF yet.
>>>Cisco says: "It is expected to be released sometime in the 
>>>      
>>>
>>second quarter of
>>    
>>
>>>this year." :)
>>>
>>>br
>>>Rolands
>>>
>>>
>>>-----Original Message-----
>>>From: Duane de Witt [mailto:duane at uis.co.za]
>>>Sent: Tuesday, May 28, 2002 6:21 PM
>>>To: 'cisco-nsp at puck.nether.net'
>>>Subject: NAT for MPLS VPN
>>>
>>>
>>>
>>>I have a Cisco network, currently with tag-switching running 
>>>      
>>>
>>but with no
>>    
>>
>>>VPN's. I have a 7140 which is been used as the gateway for 
>>>      
>>>
>>the network which
>>    
>>
>>>has a link to a 7200 handling my internet connections. 
>>>      
>>>
>>Currently the 7140
>>    
>>
>>>has a default route pointing to the internet router, this route is
>>>redistributed by BGP for the rest of my network.
>>>
>>>
>>>
>>>When I add VPN's with VRF's I face a problem. I need the 
>>>      
>>>
>>current default
>>    
>>
>>>gateway to stay as is for the rest of the network, but I 
>>>      
>>>
>>also need some kind
>>    
>>
>>>of default gateway for the specific VRF and then I need to 
>>>      
>>>
>>be able to get
>>    
>>
>>>those packets out of the VPN and to the internet. I was 
>>>      
>>>
>>planning on using
>>    
>>
>>>the 7140 with some kind of NAT config with subinterfaces on 
>>>      
>>>
>>the gateway
>>    
>>
>>>within the VRF as the inside interface and then the 
>>>      
>>>
>>interface connecting to
>>    
>>
>>>the internet router as the outside interface. I don't know 
>>>      
>>>
>>how to get the
>>    
>>
>>>packets out of the VRF and on to the internet router.
>>>
>>>
>>>
>>>Has anyone got any ideas?
>>>
>>>
>>>
>>>
>>>
>>>Regards
>>>
>>>
>>>
>>>Duane de Witt
>>>
>>>Siemens Business Services
>>>
>>>Tel. +27 11 652 7613
>>>
>>>Fax. +27 11 652 2018
>>>
>>>
>>>
>>> 
>>>
>>>      
>>>
>>-- 
>>:r !ripewhois DOKA-RIPE
>>--------------------------------------------------------------
>>-----------
>>Never try to teach a pig to sing. It wastes your time and 
>>annoys the pig.
>>                -- Lazarus Long, "Time Enough for Love"
>>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>http://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>    
>>
>
>  
>

-- 
:r !ripewhois DOKA-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"

More information about the cisco-nsp mailing list