Cisco 2911 NAT from VRF

ruth_betty · ‎02-12-2018

I have a trouble with NAT connection on Cisco 2911 ISR. I cannot connect to the NAT port from PC on same VRF. But it connection work properly if I try do it from another VRF on same router. Can you help me fix it?

Spoiler

version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname bgr-03
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging rate-limit all 10 except critical
logging monitor informational
!
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
clock timezone MSK 3 0
!
ip cef
!
ip vrf VRF20
!
ip vrf VRF30
!
no ip domain lookup
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
license udi pid CISCO2911/K9 sn FFFFFFFFFFF
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
vtp mode transparent
!
redundancy
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip vrf forwarding VRF20
 ip address 10.0.20.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip vrf forwarding VRF30
 ip address 10.0.30.1 255.255.255.0
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 ip vrf forwarding VRF20
 ip address 1.1.1.2 255.255.255.0
 no ip redirects
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/2
 ip vrf forwarding VRF30
 ip address 1.1.1.3 255.255.255.0
 no ip redirects
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 7200
ip nat translation tcp-timeout 7200
ip nat inside source list NAT_VRF20 interface GigabitEthernet0/1 vrf VRF20 overload
ip nat inside source list NAT_VRF30 interface GigabitEthernet0/2 vrf VRF30 overload
ip nat inside source static tcp 10.0.20.2 3389 1.1.1.2 3389 vrf VRF20 extendable
ip nat inside source static tcp 10.0.30.2 3389 1.1.1.3 3389 vrf VRF30 extendable
ip route vrf VRF20 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf VRF30 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended NAT_VRF20
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.0.20.0 0.0.0.255 any
ip access-list extended NAT_VRF30
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.0.30.0 0.0.0.255 any
!
control-plane
!
mgcp profile default
!
gatekeeper
 shutdown
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input none
!
scheduler allocate 20000 1000
!
end

version 15.2 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname bgr-03 ! boot-start-marker boot-end-marker ! logging buffered 51200 logging rate-limit all 10 except critical logging monitor informational ! aaa new-model ! aaa authentication login local_auth local ! aaa session-id common clock timezone MSK 3 0 ! ip cef ! ip vrf VRF20 ! ip vrf VRF30 ! no ip domain lookup ipv6 spd queue min-threshold 62 ipv6 spd queue max-threshold 63 no ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! license udi pid CISCO2911/K9 sn FFFFFFFFFFF license boot module c2900 technology-package securityk9 license boot module c2900 technology-package uck9 license boot module c2900 technology-package datak9 ! vtp mode transparent ! redundancy ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip vrf forwarding VRF20 ip address 10.0.20.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip vrf forwarding VRF30 ip address 10.0.30.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1 ip vrf forwarding VRF20 ip address 1.1.1.2 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly in load-interval 30 duplex auto speed auto no cdp enable ! interface GigabitEthernet0/2 ip vrf forwarding VRF30 ip address 1.1.1.3 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly in load-interval 30 duplex auto speed auto no cdp enable ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat translation timeout 7200 ip nat translation tcp-timeout 7200 ip nat inside source list NAT_VRF20 interface GigabitEthernet0/1 vrf VRF20 overload ip nat inside source list NAT_VRF30 interface GigabitEthernet0/2 vrf VRF30 overload ip nat inside source static tcp 10.0.20.2 3389 1.1.1.2 3389 vrf VRF20 extendable ip nat inside source static tcp 10.0.30.2 3389 1.1.1.3 3389 vrf VRF30 extendable ip route vrf VRF20 0.0.0.0 0.0.0.0 1.1.1.1 ip route vrf VRF30 0.0.0.0 0.0.0.0 1.1.1.1 ! ip access-list extended NAT_VRF20 deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.0.20.0 0.0.0.255 any ip access-list extended NAT_VRF30 deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.0.30.0 0.0.0.255 any ! control-plane ! mgcp profile default ! gatekeeper shutdown ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input none ! scheduler allocate 20000 1000 ! end

Julio E. Moisa · ‎02-12-2018

Hi

Could you please share the configuration? it should be something like:

ip nat inside source list 1 interface G0/0 vrf <VRF NAME> overload

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ruth_betty · ‎02-12-2018

Of cource, its under spoiler in my first post ;)

Julio E. Moisa · ‎02-12-2018

Hi

Thank you, apologies I didn't see it. I recommend configure Route-distinguisher on the VRF, for example:

ip vrf VRF20

rd 20:20

ip vrf VRF20

rd 30:30

The values can be random, please let me take a look to the entire configuration.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎02-12-2018

Hi

Also the deny into the ACL could be removed because the ACL will include the allowed networks only:

 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255

And the ACL will apply the implicit deny ip any any at the bottom.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ruth_betty · ‎02-12-2018

This lines added because I want exclude NAT for packets with destination to gray networks (10*, 192*, 172*, etc.). Yes, I agree I must do it in another way, with "ip route" to Null interface, but in our case this does not matter and you can simply remove this lines.

ruth_betty · ‎02-12-2018

> rd 20:20

> rd 30:30

I add Route-distinguisher on VRFs, but it didn't help.

> please let me take a look to the entire configuration.

Its entire configuration without cut. This is so small because I made special stand for diagnose this problem.

ruth_betty · ‎02-19-2018

Really nobody meet such problem? How can I try to solve it?

Julio E. Moisa · ‎02-19-2018

Hi,

Apologies for the late response, have you tried to leak using the global routing. Also i would like to know if you have control the neighbor connected to the routeer into the topology or is it already the ISP?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ruth_betty · ‎02-19-2018

> Apologies for the late response, have you tried to leak using the global routing.
Can you describe please, how can I do it?

> Also i would like to know if you have control the neighbor connected to the routeer into the topology or is it already the ISP?
In production its a border router, interfaces Gi0/1 and Gi0/2 connected to the ISP. But for resolve this issue I made clear stand and can connect to this interfaces any devices.