# Egress PE NAT44

Load **nat44.vpn.lab1.init.cfg**

```
#IOS-XE
config replace flash:nat44.vpn.lab1.init.cfg

#IOS-XR
configure
load bootflash:nat44.vpn.lab1.init.cfg
commit replace
y
```

<figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FxZbzOhLiKJFA2sHwFSVS%2Fimage.png?alt=media&#x26;token=4228c0f0-5c6c-4641-b62a-5a8bab859e20" alt=""><figcaption></figcaption></figure>

L3VPN is fully setup. The R1-R2 link is in the global table, and is an internet connection. R2 learns 8.8.8.8/32 via R1 over the BGP session.

Using the egress PE NAT technique, allow any networks in RFC1918 space from VPN\_A and VPN\_B to NAT to the internet, using R2’s Gi2.12 address.

## Answer <a href="#id-3bbf8a1f-318a-45e6-bd16-80fec72d75b0" id="id-3bbf8a1f-318a-45e6-bd16-80fec72d75b0"></a>

```
#R2
vrf definition VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition VPN_B
 rd 100:2
 route-target export 100:2
 route-target import 100:2
 !
 address-family ipv4
 exit-address-family
!
ip route vrf VPN_A 0.0.0.0 0.0.0.0 100.1.2.1 global
ip route vrf VPN_B 0.0.0.0 0.0.0.0 100.1.2.1 global
!
router bgp 100
 add ipv4 vrf VPN_A
  redistribute static
  default-information originate
 add ipv4 vrf VPN_B
  redistribute static
  default-information originate
!
!
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside
!
ip access-l ext RFC1918
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
ip nat inside source list RFC1918 interface gi2.12 vrf VPN_A overload
ip nat inside source list RFC1918 interface gi2.12 vrf VPN_B overload
```

## Explanation <a href="#id-3af482f5-a992-47d5-858d-3deeb6e56465" id="id-3af482f5-a992-47d5-858d-3deeb6e56465"></a>

The egress PE NAT feature allows a single egress PE to provide VRF-to-global NATing for multiple VRFs. The egress PE enables NAT inside on the MPLS interfaces, and uses the service label to determine the VRF of the incoming packet. This is used as additional information in the stateful NAT entry.

To begin, we must define all of the VRFs locally on R2.

```
#R2
vrf definition VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition VPN_B
 rd 100:2
 route-target export 100:2
 route-target import 100:2
 !
 address-family ipv4
 exit-address-family
```

We then need to originate a default route and advertise it via VPNv4. R2 configures a static route that points to R1 in the default VRF, which is redistributed into the BGP VRF.

```
#R2
ip route vrf VPN_A 0.0.0.0 0.0.0.0 100.1.2.1 global
ip route vrf VPN_B 0.0.0.0 0.0.0.0 100.1.2.1 global
!
router bgp 100
 add ipv4 vrf VPN_A
  redistribute static
  default-information originate
 add ipv4 vrf VPN_B
  redistribute static
  default-information originate
```

Finally we configure the NAT rules. An extended ACL is used to match RFC1918-sourced traffic. NAT inside is set on the MPLS interfaces, which will receive the VPN traffic, and NAT outside is set on the external-facing interface which is in the default VRF. One NAT rule per VRF is required.

```
#R2
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside
!
ip access-l ext RFC1918
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
!
ip nat inside source list RFC1918 interface gi2.12 vrf VPN_A overload
ip nat inside source list RFC1918 interface gi2.12 vrf VPN_B overload
```

## Verification <a href="#b41ddd74-29f2-4be2-987e-dd8febcc3abb" id="b41ddd74-29f2-4be2-987e-dd8febcc3abb"></a>

We can ping 8.8.8.8 from the loopback of each CE:

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FZMWN18XjqDorJ3nldHj0%2Fimage.png?alt=media&#x26;token=52824f0b-eaac-4444-b7fa-08047ae1c6ef" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FBBJzK6TlrpSbNMpsAcdY%2Fimage.png?alt=media&#x26;token=f6ae85ef-bdd9-44ed-9af2-a81798352484" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FvuHVJFFdysUQmAVbrByj%2Fimage.png?alt=media&#x26;token=a91e961f-ff00-4c6a-bb74-cd6be293f71c" alt=""><figcaption></figcaption></figure></div>

R2 is able to keep track of which VRF the packet belongs to based on the incoming service label. This is kept as a flag on the NAT entry. When return traffic arrives on Gi1.12, the NAT entry contains which VRF the traffic must be NATed back to.

<div align="left"><figure><img src="https://3072390383-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkUz2C3GqnZcWhoVL6jfk%2Fuploads%2FxngZ3GQhNOvQ5YYyFJJo%2Fimage.png?alt=media&#x26;token=6ed2e3a6-7c02-422a-897f-200ceb791139" alt=""><figcaption></figcaption></figure></div>

For this reason, VRF-to-VRF cannot work on the egress PE. Let’s say that interface Gi2.12 was in an INET VRF. The customer VRFs could import the 0/0 route from the INET VRF. However, all traffic from any customer VRF would arrive at R2 with the INET VRF service lable. R2 can no longer differentiate between VRFs. This is why we are forced to do VRF-to-default NAT when using the egress PE NAT feature.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/nat/egress-pe-nat44.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.