[c-nsp] ASr1k: NAT between Customer VRFs and Global VRF

Matthew Melbourne matt at melbourne.org.uk
Fri Sep 3 10:54:57 EDT 2010


Hi,

I'm trying to configure basic static NAT between customer VRFs and the
Global VRF on an ASR.

The basic configuration (for a single customer) is:


interface GigabitEthernet0/0/1
 description iVRFs (Customer VRFs/VLANs)
 no ip address
 carrier-delay msec 0
 negotiation auto
!
interface GigabitEthernet0/0/1.90
 description NOC (NATed network; Global VRF)
 encapsulation dot1Q 90
 ip address 172.20.0.4 255.255.0.0
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.400
 description Customer 1 Identifier (VLAN 400)
 vrf forwarding CUST-1
 encapsulation dot1Q 400
 ip address 10.200.0.2 255.255.254.0
 ip nat inside
 ip virtual-reassembly
!
ip nat inside source static 10.200.0.16 172.20.0.16 vrf CUST-1
!
ip route vrf CUST-1 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1.90 172.20.0.1 global


Is it by design that the NATed addresses (e.g. 172.20.0.16) is only
reachable from the 172.20.0.1, and not any other devices residing in
VLAN 90. In the model where Internet connectivity is provided by a
next-hop PE device, this would make sense. Effectively, I'd be
terminating the 172.20.0.1 on a firewall for management access into
statically NATed hosts in customer VRFs which would also inherently
prevent access access between static NATed hosts in different VRFs, if
172.20.0.1 is the only device capable of reaching the NATed hosts.

-- 
Matthew Melbourne


More information about the cisco-nsp mailing list