Folks,
Long time no see! I'm back on c-nsp after a long hiatus with a question.
I'm having trouble getting NAT to work in IOS on some CEs (2821 and 3925
running 15). The site has a VRF for guest traffic and uses the default
VRF for corporate traffic. Previously they had a 3rd-party firewall
between the PE and CE that did NAT for corp traffic on the Inside and
NAT for guest on a DMZ interface. Basic setup. The 3rd-party firewall
is gone now and we're trying to do all NAT and firewall functionality in
the site router that also connects them to their MPLS WAN. The guest
VRF only needs Internet access; there isn't a need to allow access
between the VRFs other than to the Internet. Basic guest setup.
I've gone through a number of config iterations here and can't get
everything to work at the same time. I'm leaking a default route into
the guest VRF pointed at the PE-facing CE interface with the next-hop
being the PE. I have a NAT pool for guest, an ACL that matches all
guest traffic, and then I use both the pool and ACL in a NAT overload
statement for the PE-facing interface. That works fine.
ip vrf guest-vrf
rd 100:100
!
interface GigabitEthernet0/0
description TO PE
ip address aa.bb.cc.230 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
!
interface GigabitEthernet0/1.910
description Wired Guest
encapsulation dot1Q 910
ip vrf forwarding guest-vrf
ip address 10.5.1.129 255.255.255.128
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.911
description Wireless Guest
encapsulation dot1Q 911
ip vrf forwarding guest-vrf
ip address 10.5.2.1 255.255.254.0
ip nat inside
ip virtual-reassembly in
!
ip nat pool guest-nat-pool aa.bb.cc.230 aa.bb.cc.230 prefix-length 30
ip nat inside source list nonat0_guest-vrf pool guest-nat-pool vrf
guest-vrf overload
!
ip route vrf guest-vrf 0.0.0.0 0.0.0.0 GigabitEthernet0/0 aa.bb.cc.229
!
ip access-list extended nonat0_guest-vrf
permit ip 10.5.0.0 0.0.255.255 any
!
That works fine. I've expanded upon that with a 2nd NAT pool for corp
traffic (using the same IP), another ACL that matches the local corp
subnets to ANY (since I'm NATing all traffic that traverses that
interface, vs a NoNAT) and then another overload NAT statement for the
same interface. I added the nat inside lines to the corp L3 interfaces
and made sure the default route in the default VRF pointed to the PE.
Guest still worked but only ICMPs on corp traffic worked.
Any suggestions? This should be a relatively simple setup and for some
reason I can't get it to work. Ie, NAT the default VRF and guest VRF to
allow Internet access from both with the Internet edge being in the
default VRF. I hate to rejoin the mailing list with a question on my
mind but that's where I'm at today. Any tips would be much appreciated.
Thanks
Justin
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
