Professional Documents
Culture Documents
NAT Overview
• NAT Operations
• NAT Config & Troubleshooting
• NAT Redundancy
• NAT in MPLS/VRF environment
Inside Outside
SA
SA 200.1.1.1
10.1.1.1
10.1.1.1
Internet
NAT
border
10.1.1.2 router
Advantages Disadvantages
Conserves legally Translation introduces
registered addresses switching path delays
Hide internal network Certain applications will not
function with NAT enabled
Increases flexibility in IP
addressing design
Eliminates address
renumbering as ISP
changes
Class A - 10.0.0.0/8
Class B - 172.16.0.0/19
Class C – 192.168.0.0/16
• NAT Overview
NAT Operations
• NAT Config & Troubleshooting
• NAT Redundancy
• NAT in MPLS/VRF environment
Inside DA
200.1.1.1
B Host B
DA
150.1.1.1
SA
10.1.1.1 200.1.1.1 C
10.1.1.2 Internet
SA
10.1.1.1 A
10.1.1.1
NAT table B
Inside Global Inside Local Outside Local Outside Global
IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 150.1.1.1 150.1.1.1
B A C
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 7
NAT & Routing
Inside Outside
(Internet)
(Private IP)
Inside
Internet
10.1.1.2
10.1.1.3 5 3 Host B
DA SA
150.1.1.1
10.1.1.1 200.1.1.1
10.1.1.2 Internet
10.1.1.2
SA
10.1.1.1 1 2 NAT table
Inside Local Inside Global
10.1.1.1 IP Address IP Address
10.1.1.3 200.1.1.3
10.1.1.2 200.1.1.2
10.1.1.1 200.1.1.1
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 10
Dynamic NAT with Overloading
Host B
10.1.1.3 5 3 150.1.1.1
DA
10.1.1.1
SA
200.1.1.1
4
DA
Internet 200.1.1.1
Host C
10.1.1.2 150.1.2.1
1 2 NAT table
SA
10.1.1.1
Protocol Inside Local IP Inside Global IP Outside Global
Address: Port Address: Port IP Address: Port
10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23
TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23
TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23
5 3
10.1.1.3 Host B
SA DA SA
1 DA 150.1.1.1
10.1.1.100 10.1.1.1 200.1.1.1 150.1.1.1
10.1.1.2 Internet
10.1.1.2
1
SA DA
1
10.1.1.1 10.1.1.100 2 NAT table
Inside Global Inside Local Outside Local Outside Global
10.1.1.1 IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1
• NAT Overview
• NAT Operations
NAT Config & Troubleshooting
• NAT Redundancy
• NAT in MPLS/VRF environment
10.1.1.3 5 3 Host B
DA SA
150.1.1.1
10.1.1.1 200.1.1.1
10.1.1.2 Internet
10.1.1.2
- Static NAT
SA
- Dynamic NAT
10.1.1.1 1 2 NAT table
Inside Local Inside Global
10.1.1.1 IP Address IP Address
10.1.1.3 200.1.1.3
10.1.1.2 200.1.1.2
10.1.1.1 200.1.1.1
NAT#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0
Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0
Internet 75.1.1.1 - aabb.cc00.6601 ARPA Ethernet1/0
Internet 75.1.1.2 - aabb.cc00.6601 ARPA Ethernet1/0
Ethernet (120.16.1.0/24)
IN OUT
Internet
Eth0/0 Eth1/0
NAT#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.10 - aabb.cc00.6600 ARPA Ethernet0/0
Internet 10.1.1.1 122 aabb.cc00.6500 ARPA Ethernet0/0
Internet 120.16.2.2 122 aabb.cc00.6700 ARPA Ethernet1/0
Internet 120.16.2.1 - aabb.cc00.6601 ARPA Ethernet1/0
Internet 120.16.2.5 - aabb.cc00.6601 ARPA Ethernet1/0
• Adds conditions for a static NAT entry (only acl in route-map supported)
• Only traffic matching route-map is allowed to be translated
• Works from OUT to IN since CSCec54909 (12.4(2.11)) with "reversible"
keyword
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 25
Dynamic NAT Configuration
N.B. Traffic should be initiated from inside but once inside local is associated
with an inside global, other sessions could be initiated from outside
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 26
Dynamic NAT Pool Options
NAT(config)#ip nat pool PUBLIC prefix-length 24
NAT(config-ipnat-pool)#address 200.1.1.1 200.1.1.10
NAT(config-ipnat-pool)#address 100.1.1.1 100.1.1.20
Host B
10.1.1.3 5 3 150.1.1.1
DA
10.1.1.1
SA
200.1.1.1
4
DA
Internet 200.1.1.1
Host C
10.1.1.2 150.1.2.1
1 2 NAT table
SA
10.1.1.1
Protocol Inside Local IP Inside Global IP Outside Global
Address: Port Address: Port IP Address: Port
10.1.1.1 TCP 10.1.1.1:1024 200.1.1.1:1024 150.1.1.1:23
TCP 10.1.1.2:1723 200.1.1.1:1723 150.1.1.1:23
TCP 10.1.1.3:1024 200.1.1.1:11024 150.1.1.1:23
TCP 10.1.1.2:1024 200.1.1.1:1024 150.1.2.1:23
• Using list allows to check source IP -> std access-list. Extended acl
should be used via route-map
• Using route-map enforces conditional NAT, i.e. only packets
matching route-map are translated. Can use extended acl, match on
interface/next-hop
In Out
MPLS/VPN
5 3
10.1.1.3 Host B
SA DA SA
1 DA 150.1.1.1
10.1.1.100 10.1.1.1 200.1.1.1 150.1.1.1
10.1.1.2 Internet
10.1.1.2
1
SA DA
1
10.1.1.1 10.1.1.100 2 NAT table
Inside Global Inside Local Outside Local Outside Global
10.1.1.1 IP Address IP Address IP Address IP Address
200.1.1.1 10.1.1.1 10.1.1.100 150.1.1.1
From inside to outside, routing occurs before NAT, then there should be
a route for destination of original packet.
NAT#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.1.1.100 150.1.1.1
icmp 200.1.1.1:2 10.1.1.1:2 10.1.1.100:2 150.1.1.1:2
--- 200.1.1.1 10.1.1.1 --- ---
3
Host
SA DA 150.1.1.1
10.1.1.100 10.1.1.1
10.1.1.2 Internet
10.1.1.1 4 5
SA DA
1 DA
10.1.1.1 10.1.1.100
SA
1
200.1.1.1 150.1.1.1
Host
180.1.1.1
2 NAT table
Protocol Inside Local IP Inside Global IP Outside Local Host Outside Global
180.1.1.1
Overloading Address: Port Address: Port IP Address: Port IP Address: Port
not supported TCP 2 NAT table
10.1.1.1:80 200.1.1.1:80 10.1.1.128:1024 150.1.1.1:1024
TCP 10.1.1.1:80 200.1.1.1:80 10.1.1.129:1024 180.1.1.1:1024
N.B. there should be a route for pool used for outside source translation
NAT(config-if)# ip virtual-reassembly
• Introduced by CSCsa62551
• Background : when NAT modifies payload, length of TCP
segment might change so ALG uses a sequence-fixup to
adapt TCP seq# accordingly. This seq-fixup keeps track of
next expected seq# and delta and adapt the seq# if it’s equal
or higher than the expected next seq#.
• Problem is H323 KA seq# uses previous seq# – 1 so seq-
fixup doesn’t work for H323 KA
• This feature modifies seq-fixup to take care of H323 KA
• Disabled by default
• Need to enable it when TCP keepalives are sent on H323 port
(1720)
• Introduced by CSCsa86914
• Background : RTP sessions use classically even UDP port
numbers and related RTCP sessions use the next available
port (odd port). Some applications accept only RTP sessions
using even port and refuse RTP sessions using odd port.
• NAT selects the next available port+1 for H323/SIP/SKINNY
fixup in the NAT translations. NAT does NOT check for
even/odd pair for RTP\RTCP port numbers.
• This feature changes H323/SIP/SKINNY fixup to use only
even port for RTP session
• Need to enable this when application expects RTP to use
even port only.
• Introduced by CSCed93887
• Background : when NAT modifies a port, it uses a new port in
same range as original port. Ranges are [1-511], [512- 1023],
[1024-65535].
• Problem : when many sessions with same source port are
initiated, NAT could run out of free ports in the same range.
Typical example is IKE using source UDP port 500.
• This feature allows NAT to use full port range [1-65535] for
packets coming in with source port specified in command
• Example : ‘ip nat service fullrange udp port 500’ allows NAT
to use full port range for IKE traffic. Otherwise, only 511 IKE
connections are allowed
• Introduced by CSCdw17198
• Acl should match the outside global address of the IPSEC
server/concentrator
• Background :
• IPSEC peers can negotiate NAT-T (NAT-Transversal) to add a UDP header
on top of ESP packets so NAT could use UDP port for overloading
• NAT-T is on by default on IOS devices -> (config)#no crypto ipsec nat-
transparency udp-encaps’ on IPSEC client/server to disable this
• Without NAT-T, NAT uses SPI (part of ESP header) for overloading
• Difficulty comes from the fact there is one SPI per direction so NAT router
should ‘bind’ both SPIs
• Limitations :
• NAT router accepts only one connection to same outside server at a time as
long as SPI binding is not done. Once SPI binding is done, another
connection could be initiated
• NAT router should first see ESP packet from IN to OUT
• Client 1 initiates connection with SPI1, this creates the first NAT
entry
• If at that moment, client 2 initiates a connection to same server,
this packet is dropped by NAT router
• When server replies (with SPI2) to client 1 request, a second
NAT entry is created and associated with first one, i.e. any esp
packets from server with SPI2 are dispatched to client 1
NAT#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
esp 200.1.1.1:0 10.1.1.1:SPI1 150.1.1.1:0 150.1.1.1:0
esp 200.1.1.1:0 10.1.1.1:0 150.1.1.1:0 150.1.1.1:SPI2
.1 150.1.1.1
IPSEC Server
.2 IN OUT
IPSEC Clients Internet
.3 10.1.1.0/24
*Apr 13 12:10:04.711: NAT: i: esp (10.1.1.1, 0x5940943A) -> (150.1.1.1, 0x0) [98]
*Apr 13 12:10:04.711: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [98]
*Apr 13 12:10:04.711: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x7FB18572, IG=200.1.1.1, IL=10.1.1.1
... [SPI of first session is bound -> now second client can establish a ESP connection ]
*Apr 13 12:10:12.587: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.2, SPI=1BF6BAA5, IG=200.1.1.1
*Apr 13 12:10:12.587: NAT: IPSec: created In->Out ESP translation IL=10.1.1.2 SPI=0x1BF6BAA5, IG=200.1.1.1, OL=150.1.1.1, OG=150.1.1.1
*Apr 13 12:10:12.587: NAT: IPSec: Inside host (IL=10.1.1.2) trying to open an ESP connection to Outside host (OG=150.1.1.1), wait for Out->In reply
*Apr 13 12:10:12.591: NAT: i: esp (10.1.1.2, 0x1BF6BAA5) -> (150.1.1.1, 0x0) [22]
*Apr 13 12:10:12.591: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [22]
*Apr 13 12:10:12.591: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x1093AEB7, IG=200.1.1.1, IL=10.1.1.2
*Apr 13 14:09:40.899: NAT: IPsec: using mapping to create outbound ESP IL=10.1.1.1, SPI=ED19E956, IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: created In->Out ESP translation IL=10.1.1.1 SPI=0xED19E956, IG=200.1.1.1,
OL=150.1.1.1, OG=150.1.1.1
*Apr 13 14:09:40.899: NAT: IPSec: Inside host (IL=10.1.1.1) trying to open an ESP connection to Outside host
(OG=150.1.1.1), wait for Out->In reply
*Apr 13 14:09:40.899: NAT: creating portlist proto 50 globaladdr 200.1.1.1
*Apr 13 14:09:40.899: NAT: creating ESP portlist for IG=200.1.1.1
*Apr 13 14:09:40.899: NAT: i: esp (10.1.1.1, 0xED19E956) -> (150.1.1.1, 0x0) [184]
*Apr 13 14:09:40.899: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [184]
… [esp packet from server is received and it matches calculated SPI]
*Apr 13 14:09:40.903: NAT: ESP: SPIs matched
*Apr 13 14:09:40.903: NAT: IPSec: new Out->In ESP transl OG=150.1.1.1 SPI=0x5FF2220B, IG=200.1.1.1, IL=10.1.1.1
• Acl should match the outside global address of the FTP server
• Allows FTP server to use non-default port (21) for control session
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 49
NAT Services – IKE Preserve-port
*Apr 13 15:29:08.179: NAT: address not stolen for 10.1.1.1, proto 17 port 500
*Apr 13 15:29:08.179: NAT: preserving IKE port for source addr 10.1.1.1, destination addr 150.1.1.1, initiator cookie 0x4EBDB5C
*Apr 13 15:29:08.179: NAT: [0] Allocated Port for 10.1.1.1 -> 200.1.1.1: wanted 500 got 500
*Apr 13 15:29:08.179: NAT: i: udp (10.1.1.1, 500) -> (150.1.1.1, 500) [258]
*Apr 13 15:29:08.179: NAT: s=10.1.1.1->200.1.1.1, d=150.1.1.1 [258]
*Apr 13 15:29:08.243: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [302]
*Apr 13 15:29:08.243: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.1 [302]
... [second inside client initiate an IKE session]
*Apr 13 15:29:25.135: NAT: preserving IKE port for source addr 10.1.1.2, destination addr 150.1.1.1, initiator cookie 0x28810D1E
*Apr 13 15:29:25.135: NAT: [0] Allocated Port for 10.1.1.2 -> 200.1.1.1: wanted 500 got 3
[without IKE preserve-port command, source UDP port would have been set to 3 ]
*Apr 13 15:29:25.139: NAT: i: udp (10.1.1.2, 500) -> (150.1.1.1, 500) [72]
*Apr 13 15:29:25.139: NAT: s=10.1.1.2->200.1.1.1, d=150.1.1.1 [72]
*Apr 13 15:29:25.207: NAT: o: udp (150.1.1.1, 500) -> (200.1.1.1, 500) [306]
*Apr 13 15:29:25.207: NAT: s=150.1.1.1, d=200.1.1.1->10.1.1.2 [306]
[out-to-in packet are dispatched to correct internal host based on initiator cookie ]
• Introduced by CSCdx40184
• H323-H225 and H323-RAS services are enabled by default
• These commands had been introduced to allow to turn these
services off
• Had been initially introduced because of some H323
vulnerabilities
• Could be useful if another application uses these ports…
NAT#debug ip nat ?
<1-99> Access list
detailed NAT detailed events
fragment NAT fragment events
generic NAT generic ALG handler events
h323 NAT H.323 events
ipsec NAT IPSec events
nvi NVI events
port NAT PORT events
pptp NAT PPTP events
route NAT Static route events
sip NAT SIP events
skinny NAT skinny events
vrf NAT VRF events
wlan-nat WLAN NAT events
<cr>
*Aug 8 20:04:19.675: NAT: Allocated Port for 10.1.1.10 -> 120.6.2.1: wanted 19964 got
19964
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5860]
*Aug 8 20:04:19.675: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5860]
*Aug 8 20:04:19.691: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7604]
*Aug 8 20:04:19.691: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7604]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5861]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5861]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5862]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5862]
*Aug 8 20:04:19.691: NAT*: i: tcp (10.1.1.10, 19964) -> (150.1.1.1, 23) [5863]
*Aug 8 20:04:19.691: NAT*: s=10.1.1.10->120.6.2.1, d=150.1.1.1 [5863]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7605]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7605]
*Aug 8 20:04:19.711: NAT*: o: tcp (150.1.1.1, 23) -> (120.6.2.1, 19964) [7606]
*Aug 8 20:04:19.711: NAT*: s=150.1.1.1, d=120.6.2.1->10.1.1.10 [7606]
192.168.2.2 is cleared.
• NAT Overview
• NAT Operations
• NAT Config & Troubleshooting
NAT Redundancy
• NAT in MPLS/VRF environment
Several scenarios
• 1 Router – 2 Providers
• 2 Routers – 1 Provider
• 2 Routers – 2 Providers – no dedicated public pool
• 2 Routers – 2 Providers – dedicated public pool
Inside ISP1
(200.1.1.0/24)
S1/0
Eth0/0
10.0.0.0/8 Internet
S2/0
ISP2
(100.1.1.0/24)
200.1.1.0/24
Inside NAT1
10.0.0.0/8 Internet
NAT2
TCP/UDP Internet
10.0.0.0/8
NAT2
STANDBY
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 64
NAT Redundancy - SNAT
interface Ethernet0/0
ip nat inside
standby 1 name HSRP_IN
!
ip nat Stateful id 1
redundancy HSRP_IN
mapping-id 10
!
NAT1 ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
Router ip nat inside source list 1 pool PUB mapping-id 10 overload
!
ip route 10.1.1.0 255.255.255.0 200.1.1.3 10
!
access-list 1 permit 10.0.0.0 0.255.255.255
interface Ethernet0/0
ip nat inside
standby 1 name HSRP_IN
!
ip nat Stateful id 2
NAT2 redundancy HSRP_IN
Router mapping-id 10
!
ip nat pool PUB 200.1.2.1 200.1.2.1 prefix-length 24
ip nat inside source list 1 pool PUB mapping-id 10 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
NAT1#debug ip snat
NAT1#debug ip tcp packet
NAT1#
*Aug 6 15:01:05.575: SNAT (snd msg): Add new entry for router-id 2
*Aug 6 15:01:05.575: SNAT (sndmsg): Found Peer to ADD entry
*Aug 6 15:01:05.575: SNAT (write2net): 10.1.1.3 <---> 10.1.1.2 send message
NAT2 *Aug 6 15:01:05.575: tcp0: O ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 1259957032
DATA 116 ACK 4243310795 PSH WIN 65024
Router *Aug 6 15:01:05.607: tcp0: I ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 4243310795
DATA 116 ACK 1259957032 PSH WIN 64591
*Aug 6 15:01:05.811: tcp0: O ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 1259957148
ACK 4243310911 WIN 64908
*Aug 6 15:01:05.811: tcp0: I ESTAB 10.1.1.2:44014 10.1.1.3:15555 seq 4243310911
ACK 1259957148 WIN 64475
*Aug 6 15:01:06.359: SNAT (readfromnet 1): There is some pending data on tcp. Value:116
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 68
SNAT additional commands
ip nat Stateful id 1
redundancy HSRP_IN
protocol udp
as-queuing disable
Interface Ethernet0/0
standby delay reload delay
standby 1 preempt delay minimum|reload|sync
200.1.1.0/24
Inside NAT1
10.1.1.100
HSRP_OUT
HSRP_IN
10.0.0.0/8 Internet
server
NAT2
interface Ethernet0/0
ip address 10.1.1.3 255.255.255.0
ip nat inside
standby 1 ip 10.1.1.1
standby 1 name HSRP_IN
NAT2 !
Router interface Ethernet1/0
ip address 200.1.1.3 255.255.255.0
ip nat outside
standby 2 ip 200.1.1.1
standby 2 name HSRP_OUT
!
ip nat inside source static 10.1.1.100 200.1.1.100 redundancy HSRP_IN
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 72
NAT Redundancy
2 Routers – 1 Provider
NAT1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Et0/0 1 120 Active local 10.1.1.3 10.1.1.1
Et1/0 2 120 Active local 200.1.1.3 200.1.1.1
NAT1#
NAT1#sh ip arp
NAT1 Protocol Address Age (min) Hardware Addr Type Interface
Router Internet 10.1.1.2 - aabb.cc00.6500 ARPA Ethernet0/0
Internet 10.1.1.1 - 0000.0c07.ac01 ARPA Ethernet0/0
Internet 200.1.1.100 - aabb.cc00.6501 ARPA Ethernet1/0
Internet 200.1.1.1 - 0000.0c07.ac02 ARPA Ethernet1/0
Internet 200.1.1.2 - aabb.cc00.6501 ARPA Ethernet1/0
NAT1#
200.1.1.0/24
NAT1 appear as an internal host
Inside
HSRP_OUT
HSRP_IN
150.1.1.1
10.0.0.0/8 Internet
NAT2
ISP2
(100.1.1.0/24)
• NAT Overview
• NAT Operations
• NAT Config & Troubleshooting
• NAT Redundancy
NAT in MPLS/VRF environment
Customer B
Site #2
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 78
VRF Configuration
• Need first to create VRFs :
ip vrf <VRF_name>
rd <RD_value>
• Example :
• VRF Routing & CEF table are similar to Global Routing and CEF
table, we can then configure NAT within a VRF
• Need to specify VRF name in NAT commands
• Example :
ip vrf CUST_A
rd 1:1
!
interface ethernet0/0
ip vrf forwarding CUST_A
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface ethernet1/0
ip vrf forwarding CUST_A
ip address 120.16.2.1 255.255.255.0
ip nat outside
!
ip nat inside source static 10.1.1.1 200.1.1.1 vrf CUST_A
N.B. - “sh ip nat translation” shows all entries (verbose keyword shows VRF entry is bound to)
- This VRF (in-VRF) information is used to know which VRF inside local IP address belongs to
- NTD (NAT Translation Database – NAT translation table is only a part of it) keeps track of VRF
outgoing interface belongs to (out-VRF).
- Only packets belonging to that out-VRF (which could be different to in-VRF) are allowed to
use this existing NAT entry OUT
S2/0
IN E0/0
IN E1/0
S3/0
OUT
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 82
VRF – Packet Leaking
• Packet leaking permits packets from VRF to reach Global routing
table
• Implementation of packet leaking requires 2 static routes
• VRF static route which points to a global next-hop
• Example :
ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B
rd 1:2
IN E0/0 OUT
!
interface ethernet0/0
ip vrf forwarding CUST_A
Internet
ip address 10.1.1.10 255.255.255.0 IN S2/0
ip nat inside E1/0
!
interface ethernet1/0
ip vrf forwarding CUST_B
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface serial 2/0
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 120.6.2.2 global
ip route vrf CUST_B 0.0.0.0 0.0.0.0 120.6.2.2 global
!
ip nat inside source list 1 interface serial 2/0 vrf CUST_A overload
ip nat inside source list 2 interface serial 2/0 vrf CUST_B overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
N.B. There is no static route in global table pointing to VRF interface for traffic back from Internet.
A match is found in NAT table for the flow and a layer3 lookup is done in in-VRF routing table
(in-VRF is stored in NAT table)
There is a check as well to see if packet comes from out-VRF (stored in NTD)
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 84
NAT VRF – Packet leaking VRF -> VRF
ip vrf CUST_A
rd 1:1
!
ip vrf CUST_B IN E0/0 OUT
rd 1:2
!
ip vrf SERVICE Internet
rd 1:3 IN S2/0
! E1/0
interface ethernet0/0
ip vrf forwarding CUST_A
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface ethernet1/0
ip vrf forwarding CUST_B
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface serial 2/0
ip vrf forwarding SERVICE
ip address 120.6.2.1 255.255.255.252
ip nat outside
!
ip route vrf CUST_A 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
ip route vrf CUST_B 0.0.0.0 0.0.0.0 s2/0 120.6.2.2
!
ip nat inside source list 1 interface serial 2/0 vrf CUST_A overload
ip nat inside source list 2 interface serial 2/0 vrf CUST_B overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
N.B. • packets entering via any outside interface could use the static NAT entry
(there is no possible check on out-VRF)
• if we try to create exact same static NAT entry in 2 different VRFs, command is
refused and ‘similar static NAT entry already exists’ message is displayed
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 86
MPLS/VPN - Intro
Customer A CE1
10.0.0.0/8
!
rd 1:3
S0/0 PE2 CE2
interface serial0/0
ip address 120.4.2.1 255.255.255.255 MPLS
mpls ip
ip nat inside fa1/0
!
interface FastEthernet1/0
ip vrf forwarding COMMON
ip address 200.1.1.1 255.255.255.0
ip nat outside
!
router bgp 1
address-family ipv4 vrf CUST_A
redistribute static
address-family ipv4 vrf CUST_B
redistribute static N.B.
!
ip route vrf CUST_A 200.1.1.0 255.255.255.0 FastEthernet1/0 200.1.1.2 - 200.1.2.0/30 should be known by CE2
ip route vrf CUST_B 200.1.1.0 255.255.255.0 Fastethernet1/0 200.1.1.2 - packets back from servers match
!
ip nat pool COM_POOL 200.1.2.1 200.1.2.3 prefix-length 24 existing NAT entries
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_A overload - a layer3 lookup is done in in-vrf
ip nat inside source route-map NAT_COM pool COM_POOL vrf CUST_B overload
! where labels are found
route-map NAT_COM permit 10
match ip address 101
!
access-list 101 permit ip any 200.1.1.0 0.0.0.255
VRF A IN
X E0/0
X
OUT
Internet
S2/0
VRF B
X
IN E1/0
VRF A E0/0
Global
Internet
S2/0
VRF B E1/0
ServerB 10.1.1.10
HostA
ip vrf A 150.1.1.1
rd 1:1 10.1.1.10
! Server
ip vrf B
rd 1:2
!
interface ethernet0/0 VRF A
ip vrf forwarding A Global
ip address 10.1.1.1 255.255.255.0
ip nat enable Internet
!
interface ethernet1/0 VRF B
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable 10.1.1.10
!
interface serial 2/0
ip address 200.1.1.1 255.255.255.252 ServerB
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global
ip route vrf B 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source list 1 interface serial 2/0 vrf A overload
ip nat source list 2 interface serial 2/0 vrf B overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
HostA
ip vrf A 150.1.1.1
rd 1:1 10.1.1.10
! Server
ip vrf B
rd 1:2
!
interface ethernet0/0 VRF A
ip vrf forwarding A Global
ip address 10.1.1.1 255.255.255.0
ip nat enable Internet
!
interface ethernet1/0 VRF B
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0
ip nat enable 10.1.1.10
!
interface serial 2/0
ip address 200.1.1.1 255.255.255.252 ServerB
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global
ip route vrf B 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source list 1 interface serial 2/0 vrf A overload
ip nat source list 2 interface serial 2/0 vrf B overload
ip nat source static 10.1.1.10 200.1.1.10 vrf B
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
ip vrf A
HostA
rd 1:1 150.1.1.1
! 10.1.1.10
ip vrf B Server
rd 1:2
!
interface ethernet0/0
ip vrf forwarding A VRF A
ip address 10.1.1.1 255.255.255.0 Global
ip nat enable
! Internet
interface ethernet1/0
ip vrf forwarding B
ip address 10.1.1.1 255.255.255.0 VRF B
ip nat enable
!
interface serial 2/0
ip address 200.1.1.1 255.255.255.252 10.1.1.10
ip nat enable
!
ip route vrf A 0.0.0.0 0.0.0.0 200.1.1.2 global ServerB
ip route vrf B 0.0.0.0 0.0.0.0 200.1.1.2 global
!
ip nat source list 1 interface serial 2/0 vrf A overload
ip nat source list 2 interface serial 2/0 vrf B overload
ip nat source static 10.1.1.10 200.1.1.10 vrf B
Server 150.1.1.1 should be
ip nat source static 150.1.1.1 10.1.2.150 reachable via a private IP
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
NAT-Config/Troubleshooting © 2007 Cisco Systems, Inc. All rights reserved. 99
NAT NVI – Other Example