[nsp] Re: NAT for MPLS VPN

Vladimir Litovka doka at kiev.sovam.com
Wed May 21 10:58:42 EDT 2003


I've opened case in Cisco, because all traffic except icmp flows through 
NAT. I think it is bug in IOS. I will inform when there will be any results.

Tomas Daniska wrote:

>hm - i haven't tried with vrf->global routes, though
>
>
>only for vrf-vrf traffic
>
>
>and then - the loopback you are nat'ing in behalf of is not part of the vrf that the nat rule is configured for
>
>--
>
>deejay 
>
>  
>
>>-----Original Message-----
>>From: Vladimir Litovka [mailto:doka at kiev.sovam.com] 
>>Sent: 19. mája 2003 12:34
>>To: Tomas Daniska
>>Cc: cisco-nsp at puck.nether.net
>>Subject: Re: [nsp] Re: NAT for MPLS VPN
>>
>>
>>Hi,
>>
>>can't find, where I've troubled. Here is my config and debugging 
>>information:
>>
>>ip vrf CC
>> rd 12530:XXXX
>>!
>>interface Loopback0
>> ip address 212.109.A.A 255.255.255.255
>>!
>>interface Tunnel0
>> ip vrf forwarding CC
>> ip address 192.168.149.5 255.255.255.252
>> ip nat inside
>> tunnel source [ ... ]
>> tunnel destination [ ... ]
>>!
>>interface FastEthernet0/0
>> description Internet
>> ip address [ ... ]
>> ip nat outside
>> no cdp enable
>>!
>>ip nat inside source list 2 interface Loopback0 vrf CC overload
>>ip route vrf CC 0.0.0.0 0.0.0.0 192.168.149.6
>>ip route vrf CC 212.109.X.X 255.255.255.240 212.109.Y.Y global
>>!
>>access-list 2 permit 192.168.149.0 0.0.0.255
>>
>>Trying to ping:
>>
>>Router#ping vrf CC 212.109.Z.Z
>>
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 212.109.Z.Z, timeout is 2 seconds:
>>.....
>>Success rate is 0 percent (0/5)
>>
>>and looking for debug:
>>
>>May 19 13:20:39.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3810] vrf=> CC
>>May 19 13:20:40.003: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29065] vrf=> CC
>>May 19 13:20:41.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3811] vrf=> CC
>>May 19 13:20:41.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29066] vrf=> CC
>>May 19 13:20:43.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3812] vrf=> CC
>>May 19 13:20:43.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29067] vrf=> CC
>>May 19 13:20:45.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3813] vrf=> CC
>>May 19 13:20:45.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29068] vrf=> CC
>>May 19 13:20:47.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3814] vrf=> CC
>>May 19 13:20:47.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29069] vrf=> CC
>>
>>Everything is ok - router makes translation, remote host 
>>receives echo 
>>requests and sends echo replies, router receives these replies and 
>>translates to inside addresses. But ping itself doesn't work. 
>>Somewhere 
>>is stupid bug, but I can't find it :-)
>>
>>Tomas Daniska wrote:
>>
>>    
>>
>>>works nice for me 
>>>
>>>3660 at 12.2(15)T2
>>>
>>>--
>>>
>>>deejay 
>>>
>>> 
>>>
>>>      
>>>
>>>>-----Original Message-----
>>>>From: Vladimir Litovka [mailto:doka at kiev.sovam.com] 
>>>>Sent: 16. mája 2003 10:58
>>>>To: Rolands Truls
>>>>Cc: cisco-nsp at puck.nether.net
>>>>Subject: [nsp] Re: NAT for MPLS VPN
>>>>
>>>>
>>>>This feature was introduced in 12.2(13)T and named "NAT 
>>>>integration with 
>>>>MPLS VPNs":
>>>>
>>>>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839
>>>>/products_feature_guide09186a00801145f5.html
>>>>
>>>>Does anybody has successull experience with it? I can't setup 
>>>>it on my 
>>>>2691, although Feature Navigator claims that this feature 
>>>>supported on 
>>>>2600 series.
>>>>
>>>>Rolands Truls wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>There is no support for NAT per VRF yet.
>>>>>Cisco says: "It is expected to be released sometime in the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>second quarter of
>>>>   
>>>>
>>>>        
>>>>
>>>>>this year." :)
>>>>>
>>>>>br
>>>>>Rolands
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: Duane de Witt [mailto:duane at uis.co.za]
>>>>>Sent: Tuesday, May 28, 2002 6:21 PM
>>>>>To: 'cisco-nsp at puck.nether.net'
>>>>>Subject: NAT for MPLS VPN
>>>>>
>>>>>
>>>>>
>>>>>I have a Cisco network, currently with tag-switching running 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>but with no
>>>>   
>>>>
>>>>        
>>>>
>>>>>VPN's. I have a 7140 which is been used as the gateway for 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>the network which
>>>>   
>>>>
>>>>        
>>>>
>>>>>has a link to a 7200 handling my internet connections. 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>Currently the 7140
>>>>   
>>>>
>>>>        
>>>>
>>>>>has a default route pointing to the internet router, this route is
>>>>>redistributed by BGP for the rest of my network.
>>>>>
>>>>>
>>>>>
>>>>>When I add VPN's with VRF's I face a problem. I need the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>current default
>>>>   
>>>>
>>>>        
>>>>
>>>>>gateway to stay as is for the rest of the network, but I 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>also need some kind
>>>>   
>>>>
>>>>        
>>>>
>>>>>of default gateway for the specific VRF and then I need to 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>be able to get
>>>>   
>>>>
>>>>        
>>>>
>>>>>those packets out of the VPN and to the internet. I was 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>planning on using
>>>>   
>>>>
>>>>        
>>>>
>>>>>the 7140 with some kind of NAT config with subinterfaces on 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>the gateway
>>>>   
>>>>
>>>>        
>>>>
>>>>>within the VRF as the inside interface and then the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>interface connecting to
>>>>   
>>>>
>>>>        
>>>>
>>>>>the internet router as the outside interface. I don't know 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>how to get the
>>>>   
>>>>
>>>>        
>>>>
>>>>>packets out of the VRF and on to the internet router.
>>>>>
>>>>>
>>>>>
>>>>>Has anyone got any ideas?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Regards
>>>>>
>>>>>
>>>>>
>>>>>Duane de Witt
>>>>>
>>>>>Siemens Business Services
>>>>>
>>>>>Tel. +27 11 652 7613
>>>>>
>>>>>Fax. +27 11 652 2018
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>-- 
>>>>:r !ripewhois DOKA-RIPE
>>>>--------------------------------------------------------------
>>>>-----------
>>>>Never try to teach a pig to sing. It wastes your time and 
>>>>annoys the pig.
>>>>               -- Lazarus Long, "Time Enough for Love"
>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>http://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>   
>>>>
>>>>        
>>>>
>>> 
>>>
>>>      
>>>
>>-- 
>>:r !ripewhois DOKA-RIPE
>>--------------------------------------------------------------
>>-----------
>>Never try to teach a pig to sing. It wastes your time and 
>>annoys the pig.
>>                -- Lazarus Long, "Time Enough for Love"
>>
>>
>>    
>>
>
>  
>

-- 
:r !ripewhois DOKA-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"




More information about the cisco-nsp mailing list