Solved

NAT / VRF config issue on Cisco ASR 1002

Posted on 2009-05-18
9
5,242 Views
Last Modified: 2012-05-07
Hi,

I swear this worked the other day, but I cannot get NAT to work on an ASR running VRF's.  I'm trying to NAT the inside IP of 192.168.101.21 to 1.1.1.1 but my outside device shows all packets coming from 192.168.101.21.

If I remove the interfaces from the vrf, make the default route a global one (vice vrf entry) and remove the vrf tag from the ip nat static entry, NAT'ing works.  Why wouldn't it also work when I apply the interfaces to a VRF?


Also, to make it even wierder:
If I configure the router with no vrf's (no interfaces in vrf, no vrf static route or NAT entries) it works.  If I place everything into a vrf it works.  If I save the config and then reboot it doesn't work.  Is there some cahcing that is taking place that I am not aware of?  

Router#sh run

Building configuration...

 

Current configuration : 1752 bytes

!

no upgrade fpd auto

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

vrf definition vrf-101

 !

 address-family ipv4

 exit-address-family

!

!

no aaa new-model

ip subnet-zero

no ip domain lookup

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

redundancy

 mode none

!

controller T3 0/1/0

 framing c-bit

 cablelength 10

 t1 1 channel-group 0 timeslots 1-24

!

controller T3 0/1/1

 cablelength 224

!

!

!

!

!

!

!

interface GigabitEthernet0/0/0

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/1

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/2

 no ip address

 shutdown

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/3

 no ip address

 negotiation auto

 no cdp enable

!

interface GigabitEthernet0/0/3.101

 vrf forwarding vrf-101

 encapsulation dot1Q 101

 ip address 192.168.101.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 no cdp enable

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 no ip address

 shutdown

 negotiation auto

!

interface Serial0/1/0/1:0

 vrf forwarding vrf-101

 ip address 1.1.1.1 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 no cdp enable

!

ip nat inside source static 192.168.101.21 1.1.1.1 vrf vrf-101

ip classless

ip route vrf vrf-101 0.0.0.0 0.0.0.0 1.1.1.2

!

Open in new window

0
Comment
Question by:Program652
  • 5
  • 3
9 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24422161


What does "show ip nat translations" look like?

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24422264


Try NVI (NAT virtual interface) , elimates teh ip nat inside/outside commands;

int interface GigabitEthernet0/0/3.101
no ip nat inside
ip nat enable
interface Serial0/1/0/1:0
no ip nat outside
exit

clear ip nat trans *

harbor235 ;}


0
 

Author Comment

by:Program652
ID: 24423629
NVI is not supported inmy versio of IOS EX (12.2).  It might be in 12.3 and I may try that as well.

Did get an email from my accont rep today.  He states that NAT aware VRF's are not supported and will not until release 2.5.0 comes out in Sept.
0
 

Author Comment

by:Program652
ID: 24423642
Also to answer the question earlier, sh ip nat translations shows what I woudl expect to see:  inside local, outside local, inside global, outside global as I expect them all.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:harbor235
ID: 24424122


Nat translations:

Yah, but do you see the static assignment you specified ?

Software support:

not supported, right, verified via feature navigator, not supported.

harbor235 ;}



0
 
LVL 32

Expert Comment

by:harbor235
ID: 24424137


I would love to hear aboth the ASR, likes dislikes, problems, etc .... if you could. If not
I understand.

thank you,

harbor235
harbor235@gmail.com
0
 

Accepted Solution

by:
Program652 earned 0 total points
ID: 25262420
Turned out there was a bug on the ASR's.  Even vanilla NAT did not work; NAT not in a VRF setting.  

Cisco opened an internal TAC case and the latest IOS (12.4) is the ONLY IOS for the ASR that will correctly implement NAT!  Amazing that they had a product line out for almost a year that couldn't do simple NAT.

We've had many buggy issues with the ASR over the past year.

VRF-aware NAT won't be supported until 12.5
0
 
LVL 32

Expert Comment

by:harbor235
ID: 25263044
thanx for the update

harbor235 ;}
0
 

Expert Comment

by:stoutm
ID: 27598228
Program652 -
I'm running into a similar issue. Do you have a TAC case or anything that would help reference something on Cisco's site?

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
server can't ping default gateway 25 114
Asymmetric Routing (Firewall) 3 71
Cisco Routing with 2 ISP connection 5 61
BGP Code 12 42
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now