NAT'ing a VRF IP to a global address

Latest post 12-28-2008 5:24 AM by b_lamine. 6 replies.

Page 1 of 1 (7 items)
	Sort Posts: Previous Next

11-04-2008 4:56 PM

awilkins
Joined on 09-05-2008
Posts 79
Points 1,115

Reply Contact

I'm working on Vol II Lab 2 section 5.3: VRF Internet Access

The following works great:

ip nat inside source route-map CCIE_SITE_2-NAT interface Loopback0 vrf CCIE_SITE_2 overload
!
access-list 100 deny   ip 10.1.7.0 0.0.0.255 10.1.8.0 0.0.0.255
access-list 100 deny   ip 10.1.7.0 0.0.0.255 10.1.18.0 0.0.0.255
access-list 100 deny   ip 10.1.7.0 0.0.0.255 10.1.28.0 0.0.0.255
access-list 100 permit ip 10.1.7.0 0.0.0.255 any
!
route-map CCIE_SITE_2-NAT permit 10
match ip address 100

This prompted me to try something, but I cannot seem to get it to work. I took out the 'ip nat inside source......' command and applied the following:

ip nat pool TEST 24.1.4.4 24.1.4.4 prefix-length 30
ip nat inside source route-map CCIE_SITE_2-NAT pool TEST vrf CCIE_SITE_2 overload

I could see the situation arise where we may be asked to use a pool of addresses by which to use for NAT. Does anyone see anything wrong with the above? I get the following output from a 'debug ip nat det' output:

*Mar 1 00:51:48.963: NAT: map match CCIE_SITE_2-NAT
*Mar 1 00:51:48.963: NAT: address not stolen for 10.1.7.7, proto 1 port 4
*Mar 1 00:51:48.967: NAT: failed to allocate address for 10.1.7.7, list/map CCIE_SITE_2-NAT
*Mar 1 00:51:48.967: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Mar 1 00:51:48.971: NAT: map match CCIE_SITE_2-NAT
*Mar 1 00:51:48.975: NAT: address not stolen for 10.1.7.7, proto 1 port 4
*Mar 1 00:51:48.975: NAT: failed to allocate address for 10.1.7.7, list/map CCIE_SITE_2-NAT
*Mar 1 00:51:48.979: NAT: translation failed (A), dropping packet s=10.1.7.7 d=24.1.3.3
*Mar 1 00:51:48.999: NAT: map match CCIE_SITE_2-NAT

Post Points: 35

11-04-2008 7:08 PM In reply to

mpls-te
Joined on 07-13-2008
Sydney, Australia
Posts 8
Points 115

Re: NAT'ing a VRF IP to a global address

Reply Contact

Try this...

ip nat pool TEST 24.1.4.4 24.1.4.4 prefix-length 24
ip nat inside source list CCIE_SITE_2-NAT pool TEST vrf CCIE_SITE_2 overload

ip access-list standard CCIE_SITE_2-NAT
permit ip 10.1.7.0 0.0.0.255 any

See how u go with that...

Cheers,

mpls-te

Post Points: 20

11-04-2008 9:15 PM In reply to

shai-l
Joined on 08-02-2008
Posts 66
Points 865

Re: NAT'ing a VRF IP to a global address

Reply Contact

hello

i know its a dumb qustion, but -

when you are using the above nat pool you are using only 1 ip address - could this be a problem? - i always configure this with two ip addresses and it works fine

could it be that because there is only one ip address it fails to allocate it for some reason (an IOS glitch or something) ?

Shai

Post Points: 35

11-04-2008 11:12 PM In reply to

mpls-te
Joined on 07-13-2008
Sydney, Australia
Posts 8
Points 115

Re: NAT'ing a VRF IP to a global address

Reply Contact

Hi,

Well what this is doing is NAT'ing 10.1.7.0/24 to 24.1.4.4/24, so you are NAT'ing the whole /24 to the other /24.

Cheers,

mpls-te

Post Points: 5

11-05-2008 4:20 AM In reply to

awilkins
Joined on 09-05-2008
Posts 79
Points 1,115

Re: NAT'ing a VRF IP to a global address

Reply Contact

@ shai-l

One address should be fine. Note the 'overload' keyword which basically means this is doing PAT. I guess I could try two to see, but I've done this in the past before - as I recall anyway.

@ mpls-te

I don't quite understand your comments. The start and finish address being the same shouldn't allow the use of the /24 for the pool.

Post Points: 5

12-25-2008 6:56 PM In reply to

Swapnil
Joined on 12-11-2008
Posts 1
Points 20

Re: NAT'ing a VRF IP to a global address

Reply Contact

Hello, I am unable to get this NAT to work.

I am using the same configuration as the solution provided. For some reason, the reverse lookup from global to local is not being performed.

I get the ping repply packet on R4 from BB3 loopback but it never translates it back to the local ip address and does not send it to R7.

Below is what I see

R4#debug ip nat de
R4#
*Dec 26 03:39:04.899: NAT: i: icmp (10.1.7.7, 17) -> (28.119.17.0, 17) [1781]
*Dec 26 03:39:04.899: NAT: s=10.1.7.7->10.1.4.4, d=28.119.17.0 [1781]
R4#u al
*Dec 26 03:39:06.899: NAT: i: icmp (10.1.7.7, 17) -> (28.119.17.0, 17) [1782]

R4#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 10.1.4.4:17 10.1.7.7:17 28.119.17.0:17 28.119.17.0:17

Below is my configration

R4#sh run int e0/0
interface Ethernet0/0
ip vrf forwarding CCIE_SITE_2
ip address 10.1.47.4 255.255.255.0
ip nat inside
no ip route-cache cef
no ip route-cache
end

R4#sh run int se2/0.2
interface Serial2/0.2 point-to-point
ip address 24.1.34.4 255.255.255.248
ip nat outside
no ip route-cache
snmp trap link-status
frame-relay interface-dlci 403
class FR
end

R4#sh run int e1/0
interface Ethernet1/0
ip address 24.1.45.4 255.255.255.0
ip router isis
ip nat outside
mpls label protocol ldp
mpls ip
isis circuit-type level-2-only

R4#sh run | i nat
ip nat inside source route-map R7-LOOPBACK interface lo0 vrf CCIE_SITE_2 overload

R4#sh run int lo0
interface Loopback0
ip address 10.1.4.4 255.255.255.255

end

Debug ip icmp on R4 shows the following

R4#debug ip icmp
ICMP packet debugging is on
R4#
*Dec 26 03:41:48.923: ICMP: echo reply rcvd, src 204.12.1.254, dst 10.1.4.4
R4#
*Dec 26 03:41:50.919: ICMP: echo reply rcvd, src 204.12.1.254, dst 10.1.4.4

It is receiving the reply but is not able to translate it back to local ip address. I tried changing the image thinking it could be a bug, but no luck :(

Let me know if I am missing something

Thanks,

Swapnil

Post Points: 20

12-28-2008 5:24 AM In reply to

b_lamine
Joined on 07-17-2008
Posts 6
Points 120

Re: NAT'ing a VRF IP to a global address

Reply Contact

hello,

It worked for me, I only added a route from BB1 to R4's loppback (ip route 24.1.4.4 255.255.255.255 s1/1.100) and did a ping from R7's loopback (ping 119.0.0.1 source 10.1.7.7)

Regards,

Lamine

Post Points: 5

Page 1 of 1 (7 items)