Nat – IOS – Nat from a VRF to WAN interface in global routing table

cisco-iosnat;vrf

Trying to get my head round how best to achieve the above

In essence we have s speed test server that is available in the CPE's global routing table , that we would like the customer in VRF X to test against , however due to the
fact that customer X is using RFC1918 in their VRF we want to nat all LAN traffic destined to the speed server only via the WAN address ( with is public) located in global table.

CPE's are ISR (881,19×1,29×1) running 15.1.4M6

Also due to the fact that we want to use this to test the speed to the broadband circuit I would if possible like to reduce the Nat effect on the cpu , but that’s is not the primary objective. in summary I am looking for a way to share the server with numerous mpls VRF that have overlapping RFC1918 addressing.

is this on the right track ?

ip nat inside source list <ACL_LAN> interface <WAN_INT> vrf <vrf-name> overload
ip route vrf <vrf-name>  <server-ip> 255.255.255.255 <Global-WAN-nexthop>

Best Answer

Summary

is this on the right track?

Yes... very similar to the link in the comment... As you mentioned, you only need to do two things...

Configure NAT overload on the global interface
Put a static route in the VRF for the speed test server...

Details

Assume your speed test server is at 172.16.10.5... and you're trying to ping it from a CE switch in VRF01.

  To Speed Test Server
  (172.16.10.5, NH 172.16.1.1)
   <-------

Fa0/0 (global table) +-----+ Fa1/0 (VRF01)             Fa0/17 +-----+
        172.16.1.200 |     | 192.0.2.1/24      192.0.2.100/24 |     |
---------------------| PE1 |----------------------------------| CE1 |
                     |     |                                  |     |
                     +-----+                                  +-----+

PE1's Config

!!! PE1 Config
!
hostname PE1
!
ip vrf VRF01
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface FastEthernet0/0
 description global table interface
 ip address 172.16.1.200 255.255.255.0
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
!
!
interface FastEthernet1/0
 ip vrf forwarding VRF01
 ip address 192.0.2.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip route vrf VRF01 172.16.10.5 255.255.255.255 172.16.1.1 global
!
!! Insert other PE1 global routing configs

CE1's config

!!! CE1 Config
!
hostname CE1
!
interface FastEthernet0/17
 switchport access vlan 11
 switchport mode access
 switchport nonegotiate
!
!
interface Vlan11
 ip address 192.0.2.100 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1

Ping proof...

CE1#ping 172.16.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
CE1#

NAT entry...

PE1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.1.200:3    192.0.2.100:3      172.16.10.5:3      172.16.10.5:3
PE1#

Related Solutions

Cisco – Policy Based Routing for VPN connections with VPN Client configuration

You can simply append the ACL "REDIRECT-VIA-FAST-WAN" to route IPSEC traffic out your "fast wan" interface.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit ahp any any
permit esp any any

Or if your router does not have the "ahp" and "esp" options for an extended ACL, you can simply add in the specific ports that the ipsec client tunnels over, namely UDP ports 500, 10000, and 4500, and also TCP 4500 for good measure.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit udp any any eq 500
permit udp any any eq 10000
permit udp any any eq 4500
permit tcp any any eq 4500

You may also have to append your "PERMIT-MNG" ACL to allow outbound IPSEC traffic (depending on what that ACL is configured to do) but you stripped it out of the running config so I can not fully comment on that.

VRF Route with Global IP as the Next Hop

I got it working(with guidance of my colleague), please have a look at the configs, note that there is a minor change in the ip(replace 192 with 172), replace 1.0.1.1 with 100.0.0.1; and f0/1 is replaced with subinterfaces. Below are the working configs of my lab in GNS3.

On R1:

R1#ter len 0
R1#
R1#
R1#
R1#
R1#sho run
Building configuration...

Current configuration : 1076 bytes
!
! Last configuration change at 16:46:26 UTC Thu May 25 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 100.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
!
interface FastEthernet1/0
 ip address 172.16.1.14 255.255.255.252
 ip ospf 1 area 0
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
 network 100.0.0.1 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.1.13
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R1#

On R2:

R2#sho run
Building configuration...

Current configuration : 1697 bytes
!
! Last configuration change at 16:48:08 UTC Thu May 25 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
vrf definition TEST
 rd 2:1
 !
 address-family ipv4
 exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
!
interface FastEthernet1/0
 ip address 172.16.2.9 255.255.255.252
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 speed auto
 duplex auto
!
interface FastEthernet1/1.2000
 encapsulation dot1Q 2000
 vrf forwarding TEST
 ip address 172.16.1.9 255.255.255.252
!
interface FastEthernet2/0
 ip address 172.16.1.13 255.255.255.252
 ip ospf 1 area 0
 speed auto
 duplex auto
!
interface FastEthernet2/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
!
router bgp 65002
 bgp log-neighbor-changes
 neighbor 172.16.2.10 remote-as 65003
 !
 address-family ipv4
  redistribute ospf 1
  neighbor 172.16.2.10 activate
 exit-address-family
 !
 address-family ipv4 vrf TEST
  neighbor 172.16.1.10 remote-as 65003
  neighbor 172.16.1.10 activate
  neighbor 172.16.1.10 allowas-in
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.1.8 255.255.255.252 FastEthernet1/1.2000
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R2#

On R3:

R3#ter len 0
R3#sho run
Building configuration...

Current configuration : 1567 bytes
!
! Last configuration change at 16:23:00 UTC Thu May 25 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
vrf definition TEST
 rd 3:1
 !
 address-family ipv4
  import ipv4 unicast map GLOBAL_TO_VRF
 exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
no ip domain lookup
ip domain name lab.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
!
interface FastEthernet1/0
 ip address 172.16.2.10 255.255.255.252
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 speed auto
 duplex auto
!
interface FastEthernet1/1.2000
 encapsulation dot1Q 2000
 vrf forwarding TEST
 ip address 172.16.1.10 255.255.255.252
!
router bgp 65003
 bgp log-neighbor-changes
 neighbor 172.16.2.9 remote-as 65002
 !
 address-family ipv4
  neighbor 172.16.2.9 activate
 exit-address-family
 !
 address-family ipv4 vrf TEST
  neighbor 172.16.1.9 remote-as 65002
  neighbor 172.16.1.9 activate
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf TEST 172.16.2.8 255.255.255.252 172.16.2.9 global
!
access-list 10 permit any log
!
route-map GLOBAL_TO_VRF permit 10
 match ip address 10
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R3#

Verification:

R2#ping vrf TEST 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/60/68 ms
R2#