NAT44 within an INET VRF

Load nat44.vpn.lab1.init.cfg

#IOS-XE (R1-R4)
config replace flash:nat44.vpn.lab2.init.cfg

Only routers R1-R4 are used in this lab.

R2 has two customer routers in the INET VRF which are given CGNAT addresses to conserve address space. Configure NAT on R2 so that both customers are NATed to the address 100.2.2.2/32 when traffic is sent out Gi2.12.

Answer

#R2
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside
!
ip access-list extended CGNAT_SOURCES
 permit ip 100.64.0.0 0.63.255.255 any
!
ip nat pool CGNAT_TRANSLATION 100.2.2.2 100.2.2.2 prefix-length 30
!
ip nat inside source list CGNAT_SOURCES pool CGNAT_TRANSLATION vrf INET overload match-in-vrf
!
ip route vrf INET 100.2.2.2 255.255.255.255 null0
router bgp 100
 add ipv4 vrf INET
  network 100.2.2.2 mask 255.255.255.255

Explanation

NAT within a vrf works very similarly to normal NAT, but we must add the “match-in-vrf” keyword to the end of the ip nat inside statement. Without this, the NAT rule assumes that we want to NAT to the global VRF.

In this lab, we enable NAT inside on the links facing R3 and R4, and enable NAT outside on the link facing R1.

#R2
int gi2.12
 ip nat outside
int gi2.23
 ip nat inside
int gi2.24
 ip nat inside

We then define an ACL that matches traffic sourced from the CGNAT space.

#R2
ip access-list extended CGNAT_SOURCES
 permit ip 100.64.0.0 0.63.255.255 any

We create a NAT pool for 100.2.2.2 (since this isn’t an interface on R2) and translate packets sourced from the CGNAT space to this address. The vrf INET keyword means that the NAT source rule is matching packets sourced from the INET vrf. The match-in-vrf keyword means that the packet is routed using the same VRF table, not the global table.

#R2
ip nat pool CGNAT_TRANSLATION 100.2.2.2 100.2.2.2 prefix-length 30
!
ip nat inside source list CGNAT_SOURCES pool CGNAT_TRANSLATION vrf INET overload match-in-vrf

Finally we need to advertise 100.2.2.2/32 to R1 so it has a return route back to R2.

#R2
ip route vrf INET 100.2.2.2 255.255.255.255 null0
router bgp 100
 add ipv4 vrf INET
  network 100.2.2.2 mask 255.255.255.255

Verification

R3 and R4 both have a static default route to R2. We should see that they can both ping 8.8.8.8.

R2 has two NAT translation entries. Note that this show command is VRF-agnostic. Nothing here shows that these NATs are only within the INET VRF.

Summary

NAT within a VRF is essentially the same thing as normal NAT, except you specify the VRF in the ip nat command, along with the keyword match-in-vrf.

ip nat ... vrf INET overload match-in-vrf

If the NAT outside interface is in the same VRF, you use the match-in-vrf keyword. If the NAT outside interface is in the global VRF, you don’t use the keyword.

PreviousEgress PE NAT44 NextInternet Reachability between VRFs

Last updated 3 months ago