Hi Justin, I have almost exactly the same setup but it works fine with me. You also have a default route for both the guest-vrf and the global routing table? You mentioned using the IOS Firewall but I do not see any zone-member commands in your config snippet. Or have you not yet enabled ZBFW?
Relevant parts of my working config: ip nat inside source list 101 interface GigabitEthernet0/0 overload ip nat inside source list 199 interface GigabitEthernet0/0 vrf VRF_Guest overload ip route 0.0.0.0 0.0.0.0 aa.bb.cc.37 ip route vrf VRF_Guest 0.0.0.0 0.0.0.0 aa.bb.cc.37 global permanent name ISP_GW I am running 15.1.4(M5). Kind regards Nasir -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Justin Shore Sent: donderdag 3 januari 2013 17:45 To: Cisco-nsp Subject: [c-nsp] NATing guest VRF and default VRF on edge router Folks, Long time no see! I'm back on c-nsp after a long hiatus with a question. I'm having trouble getting NAT to work in IOS on some CEs (2821 and 3925 running 15). The site has a VRF for guest traffic and uses the default VRF for corporate traffic. Previously they had a 3rd-party firewall between the PE and CE that did NAT for corp traffic on the Inside and NAT for guest on a DMZ interface. Basic setup. The 3rd-party firewall is gone now and we're trying to do all NAT and firewall functionality in the site router that also connects them to their MPLS WAN. The guest VRF only needs Internet access; there isn't a need to allow access between the VRFs other than to the Internet. Basic guest setup. I've gone through a number of config iterations here and can't get everything to work at the same time. I'm leaking a default route into the guest VRF pointed at the PE-facing CE interface with the next-hop being the PE. I have a NAT pool for guest, an ACL that matches all guest traffic, and then I use both the pool and ACL in a NAT overload statement for the PE-facing interface. That works fine. ip vrf guest-vrf rd 100:100 ! interface GigabitEthernet0/0 description TO PE ip address aa.bb.cc.230 255.255.255.252 ip nat outside ip virtual-reassembly in load-interval 30 duplex full speed 100 ! interface GigabitEthernet0/1.910 description Wired Guest encapsulation dot1Q 910 ip vrf forwarding guest-vrf ip address 10.5.1.129 255.255.255.128 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.911 description Wireless Guest encapsulation dot1Q 911 ip vrf forwarding guest-vrf ip address 10.5.2.1 255.255.254.0 ip nat inside ip virtual-reassembly in ! ip nat pool guest-nat-pool aa.bb.cc.230 aa.bb.cc.230 prefix-length 30 ip nat inside source list nonat0_guest-vrf pool guest-nat-pool vrf guest-vrf overload ! ip route vrf guest-vrf 0.0.0.0 0.0.0.0 GigabitEthernet0/0 aa.bb.cc.229 ! ip access-list extended nonat0_guest-vrf permit ip 10.5.0.0 0.0.255.255 any ! That works fine. I've expanded upon that with a 2nd NAT pool for corp traffic (using the same IP), another ACL that matches the local corp subnets to ANY (since I'm NATing all traffic that traverses that interface, vs a NoNAT) and then another overload NAT statement for the same interface. I added the nat inside lines to the corp L3 interfaces and made sure the default route in the default VRF pointed to the PE. Guest still worked but only ICMPs on corp traffic worked. Any suggestions? This should be a relatively simple setup and for some reason I can't get it to work. Ie, NAT the default VRF and guest VRF to allow Internet access from both with the Internet edge being in the default VRF. I hate to rejoin the mailing list with a question on my mind but that's where I'm at today. Any tips would be much appreciated. Thanks Justin _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
