[c-nsp] VPN/VRF/NAT problem

Ronan Mullally ronan at iol.ie
Fri Jul 9 12:39:44 EDT 2010


I've got a VPN setup something like:


  Remote site --- Third Party Network --- Cisco 2811 --- Internet
            |                             |       |
            |<----------- VPN ----------->| VRF X |
                                                  ^
   10.x.y.z                                    NAT to a.b.c.d

The remote site is accessing a private network on the 2811 in VRF X.
It's doing so using an IPSEC tunnel across the Internet via an untrusted
third party network.  All IP traffic leaving the remote site is pushed
through the IPSEC tunnel and emerges in VRF X.  Everything works as
expected, except...

Traffic egressing VRF X onto the Internet is not getting NATed.  It's
emerging with a 10.x.y.z address.  We have other links in this VRF
delivered via VPDN which do not have this problem.  Their traffic is NATed
correctly.

The external interface on the 2811 is configured with 'ip nat outside'.
The VPDN interfaces have 'ip nat inside'.  I suspect the issue is arising
as the traffic emerging from the VPN tunnel is not being considered for
NAT.

I'm NATing with:

 ip nat pool cust-X a.b.c.d a.b.c.d netmask 255.255.255.128
 ip nat inside source list cust-X pool cust-X mapping-id 10 vrf X overload

Am I missing something?  Is there some way for me to tell the 2811 that
traffic coming out of the tunnel is on the inside?  (might match-in-vrf
help?)

Thanks in advance,


-Ronan



More information about the cisco-nsp mailing list