[c-nsp] VRF aware NAT / route leaking issues

Chris Wopat me at falz.net
Mon Jun 7 11:37:00 EDT 2010


Looking for some help on getting VRF aware nat and route leaking to
work nicely.

The configs listed below do work for a single router to get internet
access with NAT from a VRF. However, I'm trying to give access to the
other side of the VRF and it's not working.

This is the config for the side that has the internet access (fa0/0)
and things work fine there. Serial0/0/0 is where MPLS is used to reach
a server. This server (192.168.100.0/24) is what is attempting to get
internet access through Fa0/0 and cannot. Traffic otherwise works fine
between that and 192.168.1.0/24:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface FastEthernet0/0
 ip address 55.125.25.2 255.255.255.252
 ip nat outside

interface FastEthernet0/1
 ip vrf forwarding VRF
 ip address 192.168.1.10 255.255.255.0
 ip nat inside

interface Serial0/0/0
 ip address 88.160.7.29 255.255.255.254
 ip nat outside
 mpls ip

interface Loopback0
 ip address 88.160.7.30 255.255.255.255

ip nat pool POOL-NAT 55.125.25.2 55.125.25.2 netmask 255.255.255.252
ip nat inside source route-map ROUTEMAP-NAT interface FastEthernet0/0
vrf VRF overload
ip nat inside source static tcp 192.168.1.103 25 55.125.25.2 25 vrf
VRF extendable

route-map ROUTEMAP-NAT permit 10
 match ip address ACL-NAT

ip access-list extended ACL-NAT
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.100.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 55.125.25.2
ip route vrf VRF 0.0.0.0 0.0.0.0 55.125.25.2 global

router bgp 666
 address-family ipv4 vrf VRF
  redistribute connected
  redistribute static
  default-information originate
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Here's what the routes look like on the other side of the VRF:

sh ip route vrf VRF | begin Gateway
Gateway of last resort is 88.160.7.30 to network 0.0.0.0

B    192.168.1.0/24 [200/0] via 88.160.7.30, 23:26:24
C    192.168.100.0/24 is directly connected, Vlan851
B*   0.0.0.0/0 [200/0] via 88.160.7.30, 09:45:32


I've looked at these (and a few other) config examples:

* https://supportforums.cisco.com/docs/DOC-8403
* http://7200emu.hacki.at/viewtopic.php?t=2799
* http://sites.google.com/site/amitsciscozone/home/mpls/vrf-aware-nat

Thanks,
Chris


More information about the cisco-nsp mailing list