[c-nsp] NAT-ON-A-STICK for VRF Traffic

Ziv Leyes zivl at gilat.net
Tue Aug 25 02:42:03 EDT 2009 

You can tell your customers the VPN purpose isn't ICMP but some other important things, as long as they work, they should stop "checking" and start to work!
Just kidding...


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao
Sent: Tuesday, August 25, 2009 5:36 AM
To: Ivan Pepelnjak; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT-ON-A-STICK for VRF Traffic

I've been able to get this working using NVI but I'm finding the
traceroute is a bit strange. It times out after the Internet GW
interface (202.45.118.x) which is on NAT-PE. When I go back to using nat
inside/outside interfaces, the traceroute goes through fine. Any ideas
why a NVI would not give a full traceroute of all the hops. Internet
connectivity is fine so can't complain but don't want VPN customers
asking why the traceroute isn't showing properly.

My topology is like this:

CE1 --10.15.99.4/30--> PE1 -> P --202.45.118.x/30--> NAT-PE
<--10.15.99.8/30-- CE2

>From CE1 side:

C:\Documents and Settings\Andy>tracert www.google.com

Tracing route to www.l.google.com [66.102.11.99] over a maximum of 30
hops:

  1     1 ms     1 ms     1 ms  192.168.2.1
  2    23 ms    21 ms    20 ms  10.15.99.5
  3    19 ms    18 ms    20 ms  202.45.118.x
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.

>From CE2 (directly connected to NAT-PE):

C:\Users\sysadmin>tracert www.yahoo.com

Tracing route to www-real.wa1.b.yahoo.com [209.131.36.158] over a
maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.15.99.9
  2    <1 ms    <1 ms    <1 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  3     1 ms    <1 ms    <1 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  4    12 ms    12 ms    12 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  5    12 ms    13 ms    12 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  6     *        *        *     Request timed out.
  7    12 ms    12 ms    12 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  8   172 ms   172 ms   172 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
  9   173 ms   172 ms   172 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
 10   173 ms   173 ms   173 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
 11   173 ms   173 ms   173 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]
 12   173 ms   174 ms   173 ms  f1.www.vip.sp1.yahoo.com
[209.131.36.158]

Trace complete.

Not sure why all the hops don't show up when I do a traceroute from
either CE's????

Thanks.

Andy


-----Original Message-----
From: Ivan Pepelnjak [mailto:ip at ioshints.info]
Sent: Monday, 17 August 2009 11:42 PM
To: Andy Saykao; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic

It's probably easier to use the NAT Virtual Interface ("ip nat enable"
instead of "ip nat inside|outside") in a VRF environment. You also don't
need NAT-on-a-stick with NVI.

Ivan

http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Andy Saykao [mailto:andy.saykao at staff.netspace.net.au]
> Sent: Monday, August 17, 2009 2:59 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic
>
> I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using
> NAT-ON-A-STICK. Is this possible?
>
> Easy enough to do when it's IP traffic using policy-based routing as
> per this article:
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_
> note09186a
> 0080094430.shtml
>
> Just wondering how you would apply the article in relation to when the

> traffic is MPLS/VRF based.


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





__________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list