[nsp] Re: NAT for MPLS VPN
Tomas Daniska
tomas at tronet.com
Wed May 21 09:51:35 EDT 2003
hm - i haven't tried with vrf->global routes, though
only for vrf-vrf traffic
and then - the loopback you are nat'ing in behalf of is not part of the vrf that the nat rule is configured for
--
deejay
> -----Original Message-----
> From: Vladimir Litovka [mailto:doka at kiev.sovam.com]
> Sent: 19. mája 2003 12:34
> To: Tomas Daniska
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] Re: NAT for MPLS VPN
>
>
> Hi,
>
> can't find, where I've troubled. Here is my config and debugging
> information:
>
> ip vrf CC
> rd 12530:XXXX
> !
> interface Loopback0
> ip address 212.109.A.A 255.255.255.255
> !
> interface Tunnel0
> ip vrf forwarding CC
> ip address 192.168.149.5 255.255.255.252
> ip nat inside
> tunnel source [ ... ]
> tunnel destination [ ... ]
> !
> interface FastEthernet0/0
> description Internet
> ip address [ ... ]
> ip nat outside
> no cdp enable
> !
> ip nat inside source list 2 interface Loopback0 vrf CC overload
> ip route vrf CC 0.0.0.0 0.0.0.0 192.168.149.6
> ip route vrf CC 212.109.X.X 255.255.255.240 212.109.Y.Y global
> !
> access-list 2 permit 192.168.149.0 0.0.0.255
>
> Trying to ping:
>
> Router#ping vrf CC 212.109.Z.Z
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 212.109.Z.Z, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> and looking for debug:
>
> May 19 13:20:39.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z
> [3810] vrf=> CC
> May 19 13:20:40.003: NAT*: s=212.109.Z.Z,
> d=212.109.A.A->192.168.149.1
> [29065] vrf=> CC
> May 19 13:20:41.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z
> [3811] vrf=> CC
> May 19 13:20:41.999: NAT*: s=212.109.Z.Z,
> d=212.109.A.A->192.168.149.1
> [29066] vrf=> CC
> May 19 13:20:43.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z
> [3812] vrf=> CC
> May 19 13:20:43.999: NAT*: s=212.109.Z.Z,
> d=212.109.A.A->192.168.149.1
> [29067] vrf=> CC
> May 19 13:20:45.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z
> [3813] vrf=> CC
> May 19 13:20:45.999: NAT*: s=212.109.Z.Z,
> d=212.109.A.A->192.168.149.1
> [29068] vrf=> CC
> May 19 13:20:47.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z
> [3814] vrf=> CC
> May 19 13:20:47.999: NAT*: s=212.109.Z.Z,
> d=212.109.A.A->192.168.149.1
> [29069] vrf=> CC
>
> Everything is ok - router makes translation, remote host
> receives echo
> requests and sends echo replies, router receives these replies and
> translates to inside addresses. But ping itself doesn't work.
> Somewhere
> is stupid bug, but I can't find it :-)
>
> Tomas Daniska wrote:
>
> >works nice for me
> >
> >3660 at 12.2(15)T2
> >
> >--
> >
> >deejay
> >
> >
> >
> >>-----Original Message-----
> >>From: Vladimir Litovka [mailto:doka at kiev.sovam.com]
> >>Sent: 16. mája 2003 10:58
> >>To: Rolands Truls
> >>Cc: cisco-nsp at puck.nether.net
> >>Subject: [nsp] Re: NAT for MPLS VPN
> >>
> >>
> >>This feature was introduced in 12.2(13)T and named "NAT
> >>integration with
> >>MPLS VPNs":
> >>
> >>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839
> >>/products_feature_guide09186a00801145f5.html
> >>
> >>Does anybody has successull experience with it? I can't setup
> >>it on my
> >>2691, although Feature Navigator claims that this feature
> >>supported on
> >>2600 series.
> >>
> >>Rolands Truls wrote:
> >>
> >>
> >>
> >>>There is no support for NAT per VRF yet.
> >>>Cisco says: "It is expected to be released sometime in the
> >>>
> >>>
> >>second quarter of
> >>
> >>
> >>>this year." :)
> >>>
> >>>br
> >>>Rolands
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Duane de Witt [mailto:duane at uis.co.za]
> >>>Sent: Tuesday, May 28, 2002 6:21 PM
> >>>To: 'cisco-nsp at puck.nether.net'
> >>>Subject: NAT for MPLS VPN
> >>>
> >>>
> >>>
> >>>I have a Cisco network, currently with tag-switching running
> >>>
> >>>
> >>but with no
> >>
> >>
> >>>VPN's. I have a 7140 which is been used as the gateway for
> >>>
> >>>
> >>the network which
> >>
> >>
> >>>has a link to a 7200 handling my internet connections.
> >>>
> >>>
> >>Currently the 7140
> >>
> >>
> >>>has a default route pointing to the internet router, this route is
> >>>redistributed by BGP for the rest of my network.
> >>>
> >>>
> >>>
> >>>When I add VPN's with VRF's I face a problem. I need the
> >>>
> >>>
> >>current default
> >>
> >>
> >>>gateway to stay as is for the rest of the network, but I
> >>>
> >>>
> >>also need some kind
> >>
> >>
> >>>of default gateway for the specific VRF and then I need to
> >>>
> >>>
> >>be able to get
> >>
> >>
> >>>those packets out of the VPN and to the internet. I was
> >>>
> >>>
> >>planning on using
> >>
> >>
> >>>the 7140 with some kind of NAT config with subinterfaces on
> >>>
> >>>
> >>the gateway
> >>
> >>
> >>>within the VRF as the inside interface and then the
> >>>
> >>>
> >>interface connecting to
> >>
> >>
> >>>the internet router as the outside interface. I don't know
> >>>
> >>>
> >>how to get the
> >>
> >>
> >>>packets out of the VRF and on to the internet router.
> >>>
> >>>
> >>>
> >>>Has anyone got any ideas?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>Regards
> >>>
> >>>
> >>>
> >>>Duane de Witt
> >>>
> >>>Siemens Business Services
> >>>
> >>>Tel. +27 11 652 7613
> >>>
> >>>Fax. +27 11 652 2018
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>:r !ripewhois DOKA-RIPE
> >>--------------------------------------------------------------
> >>-----------
> >>Never try to teach a pig to sing. It wastes your time and
> >>annoys the pig.
> >> -- Lazarus Long, "Time Enough for Love"
> >>
> >>
> >>_______________________________________________
> >>cisco-nsp mailing list cisco-nsp at puck.nether.net
> >>http://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >
> >
> >
>
> --
> :r !ripewhois DOKA-RIPE
> --------------------------------------------------------------
> -----------
> Never try to teach a pig to sing. It wastes your time and
> annoys the pig.
> -- Lazarus Long, "Time Enough for Love"
>
>
>
More information about the cisco-nsp
mailing list