[c-nsp] NATing guest VRF and default VRF on edge router

Justin Shore justin at justinshore.com
Thu Jan 3 11:45:26 EST 2013 

Folks,

Long time no see!  I'm back on c-nsp after a long hiatus with a question.

I'm having trouble getting NAT to work in IOS on some CEs (2821 and 3925 
running 15).  The site has a VRF for guest traffic and uses the default 
VRF for corporate traffic.  Previously they had a 3rd-party firewall 
between the PE and CE that did NAT for corp traffic on the Inside and 
NAT for guest on a DMZ interface.  Basic setup.  The 3rd-party firewall 
is gone now and we're trying to do all NAT and firewall functionality in 
the site router that also connects them to their MPLS WAN.  The guest 
VRF only needs Internet access; there isn't a need to allow access 
between the VRFs other than to the Internet.  Basic guest setup.

I've gone through a number of config iterations here and can't get 
everything to work at the same time.  I'm leaking a default route into 
the guest VRF pointed at the PE-facing CE interface with the next-hop 
being the PE.  I have a NAT pool for guest, an ACL that matches all 
guest traffic, and then I use both the pool and ACL in a NAT overload 
statement for the PE-facing interface.  That works fine.

ip vrf guest-vrf
  rd 100:100
!
interface GigabitEthernet0/0
  description TO PE
  ip address aa.bb.cc.230 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex full
  speed 100
!

interface GigabitEthernet0/1.910
  description Wired Guest
  encapsulation dot1Q 910
  ip vrf forwarding guest-vrf
  ip address 10.5.1.129 255.255.255.128
  ip nat inside
  ip virtual-reassembly in
!
interface GigabitEthernet0/1.911
  description Wireless Guest
  encapsulation dot1Q 911
  ip vrf forwarding guest-vrf
  ip address 10.5.2.1 255.255.254.0
  ip nat inside
  ip virtual-reassembly in
!
ip nat pool guest-nat-pool aa.bb.cc.230  aa.bb.cc.230 prefix-length 30
ip nat inside source list nonat0_guest-vrf pool guest-nat-pool vrf 
guest-vrf overload
!
ip route vrf guest-vrf 0.0.0.0 0.0.0.0 GigabitEthernet0/0 aa.bb.cc.229
!
ip access-list extended nonat0_guest-vrf
  permit ip 10.5.0.0 0.0.255.255 any
!

That works fine.  I've expanded upon that with a 2nd NAT pool for corp 
traffic (using the same IP), another ACL that matches the local corp 
subnets to ANY (since I'm NATing all traffic that traverses that 
interface, vs a NoNAT) and then another overload NAT statement for the 
same interface.  I added the nat inside lines to the corp L3 interfaces 
and made sure the default route in the default VRF pointed to the PE. 
Guest still worked but only ICMPs on corp traffic worked.

Any suggestions?  This should be a relatively simple setup and for some 
reason I can't get it to work.  Ie, NAT the default VRF and guest VRF to 
allow Internet access from both with the Internet edge being in the 
default VRF.  I hate to rejoin the mailing list with a question on my 
mind but that's where I'm at today.  Any tips would be much appreciated.

Thanks
   Justin

More information about the cisco-nsp mailing list