Conditional static NAT on VRF

Hi all,

I need help,

Do you know how to do conditionnal static nat on vrf ?

I want t o do this:

- Client A connect to Server A without NAT destination

- Client B connect to Server B With Destination Nat

image

I have done this configuration but it doesn't work: (all flow are Nated)

AH2_RAPP_00S401_02C6509#show running-config
Building configuration...

Current configuration : 101 bytes
!
interface Vlan12
 ip vrf forwarding VRF-B
 ip address 10.0.12.2 255.255.255.0
 ip nat outside
!
interface Vlan16
 ip vrf forwarding VRF-B
 ip address 10.0.16.2 255.255.255.0
 ip nat inside
!

ip nat inside source static 10.0.17.2 10.0.17.3 route-map RMAP_123 extendable

!
route-map RMAP_123 permit 10
 match ip address 123
!

access-list 123 permit tcp host 10.0.5.2 host 10.0.17.3 eq www
access-list 123 deny   ip any any

!

The problem with this configuration is that all flows are nated.

 

Thank you very much for your light and your help

Best Regards.

 

 

 

 

Comments

  • I think you should review your nat statemente, since it`s missing the vrf keyword , needed if you are doing VRF Aware NAT.

     

     

  • Hi,

    It doesn't work to.

    I think that it's because there is a static entry in the translation nat table:

    R1#show ip nat translations
    Pro Inside global      Inside local       Outside local      Outside global
    --- 10.0.17.3           10.0.17.2          ---                ---
    R1#


    So route-map and access-list are not use.

    Someone know how to do this type of destination nat ?

    Thank you very much for your help.

    Best Regards

     

     

  • Any Idea ?

    I have search on cisco web site but I haven't find.

    Regards.

    Nabs

  • Hi,

    Your flows all have a source address of 10.0.5.2 and none has SA of 10.1.1.1 which is for client A. 

    Second, I've not used the ip nat inside source static with a route-map but shouldn't it be "ip nat inside source static {inside local} {outside global}" or "ip nat inside source static route-map RMAP_123 10.0.17.2"

  • Hi,

    unfortunately the command ip nat inside source static route-map doesn't exist:

    R2(config)#ip nat inside source static ?
      A.B.C.D      Inside local IP address
      esp           IPSec-ESP (Tunnel mode) support
      network     Subnet translation
      tcp            Transmission Control Protocol
      udp           User Datagram Protocol

    Do you think that it depends on my IOS ? I don't think so but i am not sure.

     

    You are right for the scheme flow. I have modify it:

    image

     

    Best Regards.

  • It appears your NAT is for SVI traffic on certain vlans but the SVI IPs don't match any of the client IPs. Do you have "ip nat inside or outside" statements on any physical interface and are the clients configured into acccess vlans. How about you try to use an outside global that is on the 10.1.17.0 network like .254 e.g. "ip nat inside source static 10.0.5.2 10.0.17.254" since that will NAT only client B specifically to an IP in server B's network and server B would known the return path because the 10.1.17 network is directly connected and via its default gateway.

  • Hi,

    This is not I want to do do.

    This is my purpose:

    I have a lot of clients on outside global network that access to only one IP address (10.0.17.3).
    I want to redirect some clients to 10.0.17.2 when they try to access to 10.0.17.3 without changing anything on the client side.
    So it's that why i want to try to do policy nat on ip nat outside interface.

    Best Regards

    Nabs

  • Considering you want to manipulate the destination, try "ip nat inside destination list X pool Y" where list X matches traffic sourced from client A going to server B (10.0.17.3) and the pool has only 10.0.17.2 so when the nat sees a match on the inside interface it changes the destination to 10.0.17.2. 

  • Hi,

    This works fine if the "ip nat inside interface" is on the client side.

    On my architecture the "ip nat inside interface" is on server side and "ip nat outside interface" is on client side so "ip nat inside destination list X pool Y"  doesn't work on my design.

    Best Regards.

    Nabs

  • Did you try it and it didn't work. It the same kind of thing done with TCP NAT load balancing. Check out http://ccietobe.blogspot.com/2009/02/tcp-load-balancing-destination-nat.html. Here he's load balancing traffic from the outside to 3 routers (or servers) on the inside and the client is on the outside while the servers are on the inside.

  • Hi,

    I have try it and it doesn't work.

    Regards

  • I would like to lab up your scenario maybe I could learn a thing or two. Could you give me a good topology and vrf requirements (if there are) as well as who talks to who, so I can try it in my mini lab.

    Thanks.

  • Hi,

    Like me, if you want you can try with this litle topology without vrf:

     

     image

    these are the flow that i expect to have:

    When src=10.1.1.1 ping dst=10.0.12.2, R2 nat the dst with 20.1.1.1.

    When src=10.0.5.2 ping dst=10.0.12.2 then R2 forward packet without nat.

    Regards

     

  • Hi Caspa,

    have you got time to test it in your mini lab ?

    Best Regards.

    Nabs

     

Sign In or Register to comment.