?
Solved

NAT / VRF config issue on Cisco ASR 1002

Posted on 2009-05-18
9
Medium Priority
?
5,461 Views
Last Modified: 2012-05-07
Hi,

I swear this worked the other day, but I cannot get NAT to work on an ASR running VRF's.  I'm trying to NAT the inside IP of 192.168.101.21 to 1.1.1.1 but my outside device shows all packets coming from 192.168.101.21.

If I remove the interfaces from the vrf, make the default route a global one (vice vrf entry) and remove the vrf tag from the ip nat static entry, NAT'ing works.  Why wouldn't it also work when I apply the interfaces to a VRF?


Also, to make it even wierder:
If I configure the router with no vrf's (no interfaces in vrf, no vrf static route or NAT entries) it works.  If I place everything into a vrf it works.  If I save the config and then reboot it doesn't work.  Is there some cahcing that is taking place that I am not aware of?  

Router#sh run
Building configuration...
 
Current configuration : 1752 bytes
!
no upgrade fpd auto
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
vrf definition vrf-101
 !
 address-family ipv4
 exit-address-family
!
!
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
redundancy
 mode none
!
controller T3 0/1/0
 framing c-bit
 cablelength 10
 t1 1 channel-group 0 timeslots 1-24
!
controller T3 0/1/1
 cablelength 224
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/3
 no ip address
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/3.101
 vrf forwarding vrf-101
 encapsulation dot1Q 101
 ip address 192.168.101.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Serial0/1/0/1:0
 vrf forwarding vrf-101
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no cdp enable
!
ip nat inside source static 192.168.101.21 1.1.1.1 vrf vrf-101
ip classless
ip route vrf vrf-101 0.0.0.0 0.0.0.0 1.1.1.2
!

Open in new window

0
Comment
Question by:Program652
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24422161


What does "show ip nat translations" look like?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24422264


Try NVI (NAT virtual interface) , elimates teh ip nat inside/outside commands;

int interface GigabitEthernet0/0/3.101
no ip nat inside
ip nat enable
interface Serial0/1/0/1:0
no ip nat outside
exit

clear ip nat trans *

harbor235 ;}


0
 

Author Comment

by:Program652
ID: 24423629
NVI is not supported inmy versio of IOS EX (12.2).  It might be in 12.3 and I may try that as well.

Did get an email from my accont rep today.  He states that NAT aware VRF's are not supported and will not until release 2.5.0 comes out in Sept.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Program652
ID: 24423642
Also to answer the question earlier, sh ip nat translations shows what I woudl expect to see:  inside local, outside local, inside global, outside global as I expect them all.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24424122


Nat translations:

Yah, but do you see the static assignment you specified ?

Software support:

not supported, right, verified via feature navigator, not supported.

harbor235 ;}



0
 
LVL 32

Expert Comment

by:harbor235
ID: 24424137


I would love to hear aboth the ASR, likes dislikes, problems, etc .... if you could. If not
I understand.

thank you,

harbor235
harbor235@gmail.com
0
 

Accepted Solution

by:
Program652 earned 0 total points
ID: 25262420
Turned out there was a bug on the ASR's.  Even vanilla NAT did not work; NAT not in a VRF setting.  

Cisco opened an internal TAC case and the latest IOS (12.4) is the ONLY IOS for the ASR that will correctly implement NAT!  Amazing that they had a product line out for almost a year that couldn't do simple NAT.

We've had many buggy issues with the ASR over the past year.

VRF-aware NAT won't be supported until 12.5
0
 
LVL 32

Expert Comment

by:harbor235
ID: 25263044
thanx for the update

harbor235 ;}
0
 

Expert Comment

by:stoutm
ID: 27598228
Program652 -
I'm running into a similar issue. Do you have a TAC case or anything that would help reference something on Cisco's site?

Thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question