[c-nsp] ASr1k: NAT between Customer VRFs and Global VRF
Matthew Melbourne
matt at melbourne.org.uk
Fri Sep 3 10:54:57 EDT 2010
Hi,
I'm trying to configure basic static NAT between customer VRFs and the
Global VRF on an ASR.
The basic configuration (for a single customer) is:
interface GigabitEthernet0/0/1
description iVRFs (Customer VRFs/VLANs)
no ip address
carrier-delay msec 0
negotiation auto
!
interface GigabitEthernet0/0/1.90
description NOC (NATed network; Global VRF)
encapsulation dot1Q 90
ip address 172.20.0.4 255.255.0.0
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.400
description Customer 1 Identifier (VLAN 400)
vrf forwarding CUST-1
encapsulation dot1Q 400
ip address 10.200.0.2 255.255.254.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source static 10.200.0.16 172.20.0.16 vrf CUST-1
!
ip route vrf CUST-1 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1.90 172.20.0.1 global
Is it by design that the NATed addresses (e.g. 172.20.0.16) is only
reachable from the 172.20.0.1, and not any other devices residing in
VLAN 90. In the model where Internet connectivity is provided by a
next-hop PE device, this would make sense. Effectively, I'd be
terminating the 172.20.0.1 on a firewall for management access into
statically NATed hosts in customer VRFs which would also inherently
prevent access access between static NATed hosts in different VRFs, if
172.20.0.1 is the only device capable of reaching the NATed hosts.
--
Matthew Melbourne
More information about the cisco-nsp
mailing list