[nsp] Re: NAT for MPLS VPN

Ejay Hire ejay.hire at isdn.net
Wed May 21 14:37:08 EDT 2003


I may be way off, but It sounds like you may be running up against a new incantation of an old Cisco "feature".  If you access an outside static nat'd ip address from inside the network it fails.  This "feature" can be worked around by placing a host route to the offending External ip to the interface.

i.e.
 interface e 0
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 interface s 0
 ip address 172.16.131.254 255.255.255.0
 ip nat outside

 access-list 7 deny host 10.10.10.1
 access-list 7 permit 10.10.10.0 0.0.0.255

 ip nat inside source list 7 interface serial 0 overload
 ip nat inside source static tcp 10.10.10.1 25 172.16.131.254 25

If you try to access port 25 of 172.16.131.254 from outside the network, it works fine.  From inside the network it doesn't work.  adding the command ip route 172.16.131.254 255.255.255.255 s0 fixes it.

-Ejay

-----Original Message-----
From: Vladimir Litovka [mailto:doka at kiev.sovam.com]
Sent: Wednesday, May 21, 2003 1:59 AM
To: Tomas Daniska
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Re: NAT for MPLS VPN


I've opened case in Cisco, because all traffic except icmp flows through 
NAT. I think it is bug in IOS. I will inform when there will be any results.

Tomas Daniska wrote:

>hm - i haven't tried with vrf->global routes, though
>
>
>only for vrf-vrf traffic
>
>
>and then - the loopback you are nat'ing in behalf of is not part of the vrf that the nat rule is configured for
>
>--
>
>deejay 
>
>  
>
>>-----Original Message-----
>>From: Vladimir Litovka [mailto:doka at kiev.sovam.com] 
>>Sent: 19. mája 2003 12:34
>>To: Tomas Daniska
>>Cc: cisco-nsp at puck.nether.net
>>Subject: Re: [nsp] Re: NAT for MPLS VPN
>>
>>
>>Hi,
>>
>>can't find, where I've troubled. Here is my config and debugging 
>>information:
>>
>>ip vrf CC
>> rd 12530:XXXX
>>!
>>interface Loopback0
>> ip address 212.109.A.A 255.255.255.255
>>!
>>interface Tunnel0
>> ip vrf forwarding CC
>> ip address 192.168.149.5 255.255.255.252
>> ip nat inside
>> tunnel source [ ... ]
>> tunnel destination [ ... ]
>>!
>>interface FastEthernet0/0
>> description Internet
>> ip address [ ... ]
>> ip nat outside
>> no cdp enable
>>!
>>ip nat inside source list 2 interface Loopback0 vrf CC overload
>>ip route vrf CC 0.0.0.0 0.0.0.0 192.168.149.6
>>ip route vrf CC 212.109.X.X 255.255.255.240 212.109.Y.Y global
>>!
>>access-list 2 permit 192.168.149.0 0.0.0.255
>>
>>Trying to ping:
>>
>>Router#ping vrf CC 212.109.Z.Z
>>
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 212.109.Z.Z, timeout is 2 seconds:
>>.....
>>Success rate is 0 percent (0/5)
>>
>>and looking for debug:
>>
>>May 19 13:20:39.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3810] vrf=> CC
>>May 19 13:20:40.003: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29065] vrf=> CC
>>May 19 13:20:41.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3811] vrf=> CC
>>May 19 13:20:41.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29066] vrf=> CC
>>May 19 13:20:43.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3812] vrf=> CC
>>May 19 13:20:43.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29067] vrf=> CC
>>May 19 13:20:45.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3813] vrf=> CC
>>May 19 13:20:45.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29068] vrf=> CC
>>May 19 13:20:47.999: NAT: s=192.168.149.1->212.109.A.A, d=212.109.Z.Z 
>>[3814] vrf=> CC
>>May 19 13:20:47.999: NAT*: s=212.109.Z.Z, 
>>d=212.109.A.A->192.168.149.1 
>>[29069] vrf=> CC
>>
>>Everything is ok - router makes translation, remote host 
>>receives echo 
>>requests and sends echo replies, router receives these replies and 
>>translates to inside addresses. But ping itself doesn't work. 
>>Somewhere 
>>is stupid bug, but I can't find it :-)
>>
>>Tomas Daniska wrote:
>>
>>    
>>
>>>works nice for me 
>>>
>>>3660 at 12.2(15)T2
>>>
>>>--
>>>
>>>deejay 
>>>
>>> 
>>>
>>>      
>>>
>>>>-----Original Message-----
>>>>From: Vladimir Litovka [mailto:doka at kiev.sovam.com] 
>>>>Sent: 16. mája 2003 10:58
>>>>To: Rolands Truls
>>>>Cc: cisco-nsp at puck.nether.net
>>>>Subject: [nsp] Re: NAT for MPLS VPN
>>>>
>>>>
>>>>This feature was introduced in 12.2(13)T and named "NAT 
>>>>integration with 
>>>>MPLS VPNs":
>>>>
>>>>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839
>>>>/products_feature_guide09186a00801145f5.html
>>>>
>>>>Does anybody has successull experience with it? I can't setup 
>>>>it on my 
>>>>2691, although Feature Navigator claims that this feature 
>>>>supported on 
>>>>2600 series.
>>>>
>>>>Rolands Truls wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>There is no support for NAT per VRF yet.
>>>>>Cisco says: "It is expected to be released sometime in the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>second quarter of
>>>>   
>>>>
>>>>        
>>>>
>>>>>this year." :)
>>>>>
>>>>>br
>>>>>Rolands
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: Duane de Witt [mailto:duane at uis.co.za]
>>>>>Sent: Tuesday, May 28, 2002 6:21 PM
>>>>>To: 'cisco-nsp at puck.nether.net'
>>>>>Subject: NAT for MPLS VPN
>>>>>
>>>>>
>>>>>
>>>>>I have a Cisco network, currently with tag-switching running 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>but with no
>>>>   
>>>>
>>>>        
>>>>
>>>>>VPN's. I have a 7140 which is been used as the gateway for 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>the network which
>>>>   
>>>>
>>>>        
>>>>
>>>>>has a link to a 7200 handling my internet connections. 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>Currently the 7140
>>>>   
>>>>
>>>>        
>>>>
>>>>>has a default route pointing to the internet router, this route is
>>>>>redistributed by BGP for the rest of my network.
>>>>>
>>>>>
>>>>>
>>>>>When I add VPN's with VRF's I face a problem. I need the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>current default
>>>>   
>>>>
>>>>        
>>>>
>>>>>gateway to stay as is for the rest of the network, but I 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>also need some kind
>>>>   
>>>>
>>>>        
>>>>
>>>>>of default gateway for the specific VRF and then I need to 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>be able to get
>>>>   
>>>>
>>>>        
>>>>
>>>>>those packets out of the VPN and to the internet. I was 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>planning on using
>>>>   
>>>>
>>>>        
>>>>
>>>>>the 7140 with some kind of NAT config with subinterfaces on 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>the gateway
>>>>   
>>>>
>>>>        
>>>>
>>>>>within the VRF as the inside interface and then the 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>interface connecting to
>>>>   
>>>>
>>>>        
>>>>
>>>>>the internet router as the outside interface. I don't know 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>how to get the
>>>>   
>>>>
>>>>        
>>>>
>>>>>packets out of the VRF and on to the internet router.
>>>>>
>>>>>
>>>>>
>>>>>Has anyone got any ideas?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Regards
>>>>>
>>>>>
>>>>>
>>>>>Duane de Witt
>>>>>
>>>>>Siemens Business Services
>>>>>
>>>>>Tel. +27 11 652 7613
>>>>>
>>>>>Fax. +27 11 652 2018
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>-- 
>>>>:r !ripewhois DOKA-RIPE
>>>>--------------------------------------------------------------
>>>>-----------
>>>>Never try to teach a pig to sing. It wastes your time and 
>>>>annoys the pig.
>>>>               -- Lazarus Long, "Time Enough for Love"
>>>>
>>>>
>>>>_______________________________________________
>>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>http://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>   
>>>>
>>>>        
>>>>
>>> 
>>>
>>>      
>>>
>>-- 
>>:r !ripewhois DOKA-RIPE
>>--------------------------------------------------------------
>>-----------
>>Never try to teach a pig to sing. It wastes your time and 
>>annoys the pig.
>>                -- Lazarus Long, "Time Enough for Love"
>>
>>
>>    
>>
>
>  
>

-- 
:r !ripewhois DOKA-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list