[c-nsp] VRF-lite dynamic NAT

Josh Fleishman josh.fleishman at gmail.com
Mon May 4 12:48:29 EDT 2009 

I have a CE configured with VRF-lite. Packets coming into the CE from the
core destined to two /32 addresses need to be translated to a single real ip
address of a server connected to the CE LAN.  This is a two to one dynamic
NAT translation.  Since this is outside-to-inside traffic, I have attempted
the following configuration using an NVI, but it's failing:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
12.4(23), RELEASE SOFTWARE (fc1)

ip nat pool inside-global 1.1.1.100 1.1.1.100 netmask
255.255.255.0              ! Testing with one address, but will require two

access-list 1 permit 172.21.240.74

ip route vrf TEST 1.1.1.100 255.255.255.255 GigabitEthernet0/1.52
172.21.240.74

ip nat source list 1 pool inside-global vrf TEST

interface GigabitEthernet0/0/0.921
  ip nat enable

interface GigabitEthernet0/1.52
 description vlan CE LAN
 encapsulation dot1Q 52
 ip vrf forwarding TEST
 ip address 172.21.240.73 255.255.255.248
 ip nat enable
 ip virtual-reassembly

interface GigabitEthernet0/0/0.921
 description CORE
 encapsulation dot1Q 921
 ip vrf forwarding TEST
 ip address 172.21.128.22 255.255.255.252
 ip nat enable

May  4 16:30:39.104 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:41.812 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:42.176 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)
May  4 16:30:42.176 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:43.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:45.248 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)
May  4 16:30:45.248 GMT: NAT: no portlist for proto 17 globaladdr 1.1.1.100
port 60165
May  4 16:30:45.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:47.808 GMT: NAT*: Can't create new inside entry -
forced_punt_flags: 0
May  4 16:30:48.320 GMT: NAT: expiring 1.1.1.100 (172.21.240.74) udp 60165
(60165)

inside to outside translations appear to be working fine for traffic
originating from the server sent towards the core.

This will work with a static NAT translation without issue.  I've also
attempted outside-to-inside with route-maps using the 'reversible' keyword,
but without success.  Any suggestions?

Thanks,
Josh

More information about the cisco-nsp mailing list