[c-nsp] NATing guest VRF and default VRF on edge router

Ross Halliday ross.halliday at wtccommunications.ca
Fri Jan 4 18:37:49 EST 2013 

Have you looked into NVI? Not sure how it behaves with the default (global) VRF, you might need to create some VRFs to match the example (tried it once on an 1811 but there was some issue with a feature that made me move on):

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

HTH

Ross


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Thursday, January 03, 2013 11:45 AM
> To: Cisco-nsp
> Subject: [c-nsp] NATing guest VRF and default VRF on edge router
> 
> Folks,
> 
> Long time no see!  I'm back on c-nsp after a long hiatus with a question.
> 
> I'm having trouble getting NAT to work in IOS on some CEs (2821 and 3925
> running 15).  The site has a VRF for guest traffic and uses the default
> VRF for corporate traffic.  Previously they had a 3rd-party firewall
> between the PE and CE that did NAT for corp traffic on the Inside and
> NAT for guest on a DMZ interface.  Basic setup.  The 3rd-party firewall
> is gone now and we're trying to do all NAT and firewall functionality in
> the site router that also connects them to their MPLS WAN.  The guest
> VRF only needs Internet access; there isn't a need to allow access
> between the VRFs other than to the Internet.  Basic guest setup.
> 
> I've gone through a number of config iterations here and can't get
> everything to work at the same time.  I'm leaking a default route into
> the guest VRF pointed at the PE-facing CE interface with the next-hop
> being the PE.  I have a NAT pool for guest, an ACL that matches all
> guest traffic, and then I use both the pool and ACL in a NAT overload
> statement for the PE-facing interface.  That works fine.
> 
> ip vrf guest-vrf
>   rd 100:100
> !
> interface GigabitEthernet0/0
>   description TO PE
>   ip address aa.bb.cc.230 255.255.255.252
>   ip nat outside
>   ip virtual-reassembly in
>   load-interval 30
>   duplex full
>   speed 100
> !
> 
> interface GigabitEthernet0/1.910
>   description Wired Guest
>   encapsulation dot1Q 910
>   ip vrf forwarding guest-vrf
>   ip address 10.5.1.129 255.255.255.128
>   ip nat inside
>   ip virtual-reassembly in
> !
> interface GigabitEthernet0/1.911
>   description Wireless Guest
>   encapsulation dot1Q 911
>   ip vrf forwarding guest-vrf
>   ip address 10.5.2.1 255.255.254.0
>   ip nat inside
>   ip virtual-reassembly in
> !
> ip nat pool guest-nat-pool aa.bb.cc.230  aa.bb.cc.230 prefix-length 30
> ip nat inside source list nonat0_guest-vrf pool guest-nat-pool vrf
> guest-vrf overload
> !
> ip route vrf guest-vrf 0.0.0.0 0.0.0.0 GigabitEthernet0/0 aa.bb.cc.229
> !
> ip access-list extended nonat0_guest-vrf
>   permit ip 10.5.0.0 0.0.255.255 any
> !
> 
> That works fine.  I've expanded upon that with a 2nd NAT pool for corp
> traffic (using the same IP), another ACL that matches the local corp
> subnets to ANY (since I'm NATing all traffic that traverses that
> interface, vs a NoNAT) and then another overload NAT statement for the
> same interface.  I added the nat inside lines to the corp L3 interfaces
> and made sure the default route in the default VRF pointed to the PE.
> Guest still worked but only ICMPs on corp traffic worked.
> 
> Any suggestions?  This should be a relatively simple setup and for some
> reason I can't get it to work.  Ie, NAT the default VRF and guest VRF to
> allow Internet access from both with the Internet edge being in the
> default VRF.  I hate to rejoin the mailing list with a question on my
> mind but that's where I'm at today.  Any tips would be much appreciated.
> 
> Thanks
>    Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list