[c-nsp] NAT Global to FVRF

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Thu Aug 20 15:58:47 EDT 2009 

This caught my interest as the scenarios I've worked with were in the
reverse, i.e. Internet access provided for VRF via the global routing
table interface/address. 

Here's what appears to be a working config (NAT config is on a 1710
running 12.4.25b IP/FW/3DES code): 

ip vrf inet
 rd 1:1
 !import ipv4 unicast map rtm_global !=> If you wanted to import routes
from the global routing table


interface Ethernet0
 ip vrf forwarding inet
 ip address 192.168.248.113 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 full-duplex

interface FastEthernet0
 ip vrf receive inet
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map set_to_vrf_intf
 speed auto
 full-duplex

!router bgp 65002	!=> Only if doing IPv4 prefix import from global
routing table or if you're actually using BGP 
 bgp log-neighbor-changes
 !
 address-family ipv4
  redistribute connected
  no auto-summary
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf inet
  no synchronization
 exit-address-family
!

ip route 0.0.0.0 0.0.0.0 Ethernet0 192.168.248.1	!=> Global
default route points to next hop which is in inet VRF
ip route vrf inet 0.0.0.0 0.0.0.0 192.168.248.1		!=> Static
default in inet VRF pointing at "ISP" next-hop

ip nat inside source list acl_match_global interface Ethernet0 vrf inet
overload

ip access-list extended acl_match_global
 permit ip 10.1.1.0 0.0.0.255 any

route-map set_to_vrf_intf permit 10
 set vrf inet
!
!-----------------------
!Test ping from a device (10.1.1.2) reachable via global routing table
using 10.1.1.1 (NAT router) as its default gateway
7206-NPE175#ping 4.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
7206-NPE175#
!-----------------------
NAT Debugs
000230: *Jan 10 12:01:53.235: NAT: [1] Allocated Port for 10.1.1.2 ->
192.168.248.113: wanted 35 got 35
000231: *Jan 10 12:01:53.235: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1,
35) [1089]
000232: *Jan 10 12:01:53.239: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1,
35) [1089]
000233: *Jan 10 12:01:53.239: NAT*: s=10.1.1.2->192.168.248.113,
d=4.2.2.1 [1089] vrf=> inet
000234: *Jan 10 12:01:53.259: NAT*: o: icmp (4.2.2.1, 35) ->
(192.168.248.113, 35) [35412]
000235: *Jan 10 12:01:53.259: NAT*: s=4.2.2.1,
d=192.168.248.113->10.1.1.2 [35412] vrf=> inet
000236: *Jan 10 12:01:53.259: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1,
35) [1090]
000237: *Jan 10 12:01:53.263: NAT*: s=10.1.1.2->192.168.248.113,
d=4.2.2.1 [1090] vrf=> inet
000238: *Jan 10 12:01:53.283: NAT*: o: icmp (4.2.2.1, 35) ->
(192.168.248.113, 35) [35413]
000239: *Jan 10 12:01:53.283: NAT*: s=4.2.2.1,
d=192.168.248.113->10.1.1.2 [35413] vrf=> inet
000240: *Jan 10 12:01:53.283: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1,
35)
!
!------------------------
c1710#sh ip ro vrf *
...
Gateway of last resort is 192.168.248.1 to network 0.0.0.0
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1111
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0
S*   0.0.0.0/0 [1/0] via 192.168.248.1, Ethernet0

Routing Table: inet
...
Gateway of last resort is 192.168.248.1 to network 0.0.0.0
     1.0.0.0/32 is subnetted, 1 subnets
B       1.1.1.1 is directly connected, 00:56:37, Loopback1111
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0
C    192.168.248.0/24 is directly connected, Ethernet0
S*   0.0.0.0/0 [1/0] via 192.168.248.1
c1710#
!------------------------


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen
Sent: Thursday, August 20, 2009 11:51 AM
To: giesen at snickers.org; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT Global to FVRF

I think the problem is because your VRF Red doesn't have route to the
LAN.
If [LAN] is switch, then you could try to create a route in VRF Red for
the LAN network with the next hop is the IP address of the switch.

Regards,

----------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
----------------------------

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen
Sent: Thursday, August 20, 2009 11:19 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT Global to FVRF

I've got a customer that requires localized Internet access from their
DMVPN router (they currently receive a default route over the VPN).

Their router is setup with the customer (inside) network in the global
routing table, and their Internet connection sits inside a Front door
VRF (FVRF). Has anyone done this, and have a working config? I've tried
all manner of options but have yet to be successful NAT'ing between the
global inside and outside FVRF.


[ LAN ] ---[ CPE ]--- [ Internet ]
Global      ------->   VRF "RED"
                  NAT


GG
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

More information about the cisco-nsp mailing list