Solved

NAT / VRF config issue on Cisco ASR 1002

Posted on 2009-05-18
9
5,217 Views
Last Modified: 2012-05-07
Hi,

I swear this worked the other day, but I cannot get NAT to work on an ASR running VRF's.  I'm trying to NAT the inside IP of 192.168.101.21 to 1.1.1.1 but my outside device shows all packets coming from 192.168.101.21.

If I remove the interfaces from the vrf, make the default route a global one (vice vrf entry) and remove the vrf tag from the ip nat static entry, NAT'ing works.  Why wouldn't it also work when I apply the interfaces to a VRF?


Also, to make it even wierder:
If I configure the router with no vrf's (no interfaces in vrf, no vrf static route or NAT entries) it works.  If I place everything into a vrf it works.  If I save the config and then reboot it doesn't work.  Is there some cahcing that is taking place that I am not aware of?  

Router#sh run

Building configuration...

 

Current configuration : 1752 bytes

!

no upgrade fpd auto

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

vrf definition vrf-101

 !

 address-family ipv4

 exit-address-family

!

!

no aaa new-model

ip subnet-zero

no ip domain lookup

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

redundancy

 mode none

!

controller T3 0/1/0

 framing c-bit

 cablelength 10

 t1 1 channel-group 0 timeslots 1-24

!

controller T3 0/1/1

 cablelength 224

!

!

!

!

!

!

!

interface GigabitEthernet0/0/0

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/1

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/2

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/3

 no ip address

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/3.101

 vrf forwarding vrf-101

 encapsulation dot1Q 101

 ip address 192.168.101.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 no cdp enable

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

!

interface Serial0/1/0/1:0

 vrf forwarding vrf-101

 ip address 1.1.1.1 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 no cdp enable

!

ip nat inside source static 192.168.101.21 1.1.1.1 vrf vrf-101

ip classless

ip route vrf vrf-101 0.0.0.0 0.0.0.0 1.1.1.2

!

Open in new window

0
Comment
Question by:Program652
  • 5
  • 3
9 Comments
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


What does "show ip nat translations" look like?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


Try NVI (NAT virtual interface) , elimates teh ip nat inside/outside commands;

int interface GigabitEthernet0/0/3.101
no ip nat inside
ip nat enable
interface Serial0/1/0/1:0
no ip nat outside
exit

clear ip nat trans *

harbor235 ;}


0
 

Author Comment

by:Program652
Comment Utility
NVI is not supported inmy versio of IOS EX (12.2).  It might be in 12.3 and I may try that as well.

Did get an email from my accont rep today.  He states that NAT aware VRF's are not supported and will not until release 2.5.0 comes out in Sept.
0
 

Author Comment

by:Program652
Comment Utility
Also to answer the question earlier, sh ip nat translations shows what I woudl expect to see:  inside local, outside local, inside global, outside global as I expect them all.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:harbor235
Comment Utility


Nat translations:

Yah, but do you see the static assignment you specified ?

Software support:

not supported, right, verified via feature navigator, not supported.

harbor235 ;}



0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility


I would love to hear aboth the ASR, likes dislikes, problems, etc .... if you could. If not
I understand.

thank you,

harbor235
harbor235@gmail.com
0
 

Accepted Solution

by:
Program652 earned 0 total points
Comment Utility
Turned out there was a bug on the ASR's.  Even vanilla NAT did not work; NAT not in a VRF setting.  

Cisco opened an internal TAC case and the latest IOS (12.4) is the ONLY IOS for the ASR that will correctly implement NAT!  Amazing that they had a product line out for almost a year that couldn't do simple NAT.

We've had many buggy issues with the ASR over the past year.

VRF-aware NAT won't be supported until 12.5
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
thanx for the update

harbor235 ;}
0
 

Expert Comment

by:stoutm
Comment Utility
Program652 -
I'm running into a similar issue. Do you have a TAC case or anything that would help reference something on Cisco's site?

Thanks
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now