NAT Aware VRF on cisco7600

I am trying to find out wich feature set supports NAT on a VRF for the 7606 chassis with supervisor module WS-SUP720-3BXL.
thanx

Hi,
Using FWSM is definitely an alternate where you dedicate an single instance of vFW to perform NAT for a particular VRF. If this is not acceptable to you, you may consider other platforms like 7200 that can deliver a solution today for this.
However, for all potential roadmap related discussion I would recommend you to directly get in touch with your account team since this forum may not be the right place to discuss such things.
Cheers,

Similar Messages

Nat between vrf

Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
I've ip overlapping issue, so i'm trying to use nat aware vrf.
The shared service is on a vrf also.
I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
This is my configuration :
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat enable
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip address 172.31.50.1 255.255.255.0
ip nat outside
ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
tried also with
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
but it didn't work...
any suggestion ?
any help will be appreciated
Max

Hi Mohammed, now all works well.
I understand my error, basically when i tried to ping, i pinged a router on my
own vrf, because i imported the network, so the packet didn't came across
interfaces and nat was not in place.Now i tried static host and network
natting and dymanic natting and all works well.
here there is a complete working configuration
ip vrf proxy
rd 500:500
route-target export 500:500
route-target export 501:501
route-target import 500:500
route-target import 401:401
ip vrf upa
rd 300:300
route-target export 300:300
route-target export 401:401
route-target import 300:300
route-target import 501:501
ip vrf upa-tv
rd 1000:1000
route-target export 1000:1000
route-target export 401:401
route-target import 1000:1000
route-target import 501:501
mpls label protocol ldp
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description interfacccia outside per ip pubblico ipsec
encapsulation dot1Q 500
ip address 195.195.195.195 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 300
ip vrf forwarding upa
ip address 172.31.47.254 255.255.255.0
ip nat inside
interface GigabitEthernet0/0.20
encapsulation dot1Q 310
ip vrf forwarding proxy
ip nat outside
ip address 172.31.50.1 255.255.255.0
interface GigabitEthernet0/0.10
encapsulation dot1Q 320
ip vrf forwarding upa-tv
ip address 10.4.1.254 255.255.255.0
interface GigabitEthernet0/1
description connessa a 6500
ip address 80.x.x.1 255.255.255.0
duplex auto
speed auto
mpls ip
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 80.80.80.2 remote-as 65000
no auto-summary
address-family vpnv4
neighbor 80.80.80.2 activate
neighbor 80.80.80.2 send-community both
exit-address-family
address-family ipv4 vrf upa-tv
no synchronization
exit-address-family
address-family ipv4 vrf upa
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf proxy
redistribute connected
no synchronization
exit-address-family
ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
Many thanks for the help, now all works well and i understand the way to
configure it.

NAT between VRFs

Is it possible to do address translation between VRFs? I see NAT is possible from VRF to global, but haven't find any info about possibility to NAT between VRFs. Is it possible ?

Please refer the following link for more information on NAT Integration with MPLS VPNs.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.pdf

Syslog aware VRF/VPN

Folks,
Can anyone verify as to why Syslog messages from an interface in a VRF instance not being transmitted, but when I remove the VRF and do the same with "plain" IP, it works.
Also while configuring Syslog server I cannot specify the VRF if the Management station is in a VRF.
Any ideas about it ??
Thanks
~sultan

Hello Sanjeeva,
That helped me get out of this problem I am stabbing since a last few days and I really thank you guys for this...
So I guess I will have to wait for the next release... :-)
Thank you too Harold.
Regards,
~sultan

VRF-Aware IPSec for Remote Access

Dear All,
Has anyone successfully implemented VRF-Aware IPSec for Remote Access ?
I am trying to implement this feature on a PE which has MPLS enabled
on the Internet facing interface.
With the config below, I am being able to establish an IPSEc tunnel but not being able to PING the VRF interface configured on the same PE.
I will be really grateful for any comment or any pointers for what could
be possibly wrong with the configuration below:
aaa new-model
aaa authentication login USER-AUTHENTICATION local
aaa authorization network GROUP-AUTHORISATION local
crypto keyring test-1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group test-1
key test-1
domain test.com
pool cpe-1
acl 101
crypto isakmp profile test-1
vrf test-1
keyring test-1
match identity group test-1
client authentication list USER-AUTHENTICATION
isakmp authorization list GROUP-AUTHORISATION
client configuration address initiate
client configuration address respond
client configuration group test-1
crypto map IPSEC-AWARE-VRF 2 ipsec-isakmp dynamic test-1
ip local pool cpe-1 192.168.81.1 192.168.81.254 group test-1
crypto dynamic-map test-1 1
set transform-set test-1
set isakmp-profile test-1
reverse-route remote-peer
Internet facing interface
interface GigabitEthernet4/0/0
ip address x.x.x.x 255.255.255.240
ip router isis
mpls ip
crypto map IPSEC-AWARE-VRF
Customer facing interface
interface GigabitEthernet1/0/0.1
encapsulation dot1Q 100
ip vrf forwarding test-1
ip address 110.110.110.1 255.255.255.0
Kind regards,
ZH

Million thanks for this.
This now works after disabling CEF on the public facing interface.
Regards,
Zahid

I am trying to get NAT working on a Cisco 2801 with HWIC-4ESW.

I have a 2801 that had a failed Fe0/1 port. The Fe0/1 port was used to give sub-interface Fe0/0.200 access to internet. We installed a HWIC-4ESW into the 2801. I have successfully moved the sub-interfaces ( 0/0.1 , 0/0.100 , and 0/0.200 ) from the Fe0/0 to the HWIC-4ESW. I have reconfigured the Fe0/0 to connect to my ISP. However, I cannot get traffic from vlan200 to pass to the internet over Fe0/0. I have a guest wireless network set for vlan 200. Clients get an IP address in the appropriate range (192.168.200.0), but they cannot get to the internet. Below I have included the results of "sh ip int brief" and some of the "sh run". I think that it is something simple, but I canot get it working.
Help would be appreciated.
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 ***.**.244.194 YES manual up up
FastEthernet0/0.200 unassigned YES unset deleted down
Service-Engine0/0 192.168.100.254 YES TFTP up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
FastEthernet0/1/0 unassigned YES unset up up
FastEthernet0/1/1 unassigned YES unset up up
FastEthernet0/1/2 unassigned YES unset administratively down down
FastEthernet0/1/3 unassigned YES unset administratively down down
Serial0/3/0:0 unassigned YES unset down down
Serial0/3/0:1 unassigned YES unset down down
Serial0/3/0:2 unassigned YES unset down down
Serial0/3/0:3 unassigned YES unset down down
Serial0/3/0:4 unassigned YES unset down down
Serial0/3/0:5 unassigned YES unset down down
Serial0/3/0:6 unassigned YES unset down down
Serial0/3/0:7 unassigned YES unset down down
Serial0/3/0:8 unassigned YES unset down down
Serial0/3/0:9 unassigned YES unset down down
Serial0/3/0:10 unassigned YES unset down down
Serial0/3/0:11 unassigned YES unset down down
Serial0/3/0:12 unassigned YES unset down down
Serial0/3/0:13 unassigned YES unset down down
Serial0/3/0:14 unassigned YES unset down down
Serial0/3/0:15 unassigned YES unset down down
Serial0/3/0:23 unassigned YES NVRAM up up
Vlan1 192.168.1.254 YES NVRAM up up
Vlan100 192.168.100.254 YES NVRAM up up
Vlan200 192.168.200.254 YES NVRAM up up
NVI0 ***.12.244.194 YES unset administratively down down
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.99
ip dhcp excluded-address 192.168.100.200 192.168.100.254
ip dhcp excluded-address 192.168.200.1 192.168.200.99
ip dhcp excluded-address 192.168.200.200 192.168.200.254
ip dhcp pool Phones
network 192.168.100.0 255.255.255.0
option 150 ip 192.168.100.254
default-router 192.168.100.254
dns-server 192.168.1.8
ip dhcp pool guestwireless
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 8.8.8.8 8.8.4.4
ip cef
no ip domain lookup
ip domain name pwa.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
controller T1 0/3/0
pri-group timeslots 1-16,24
controller T1 0/3/1
shutdown
gw-accounting aaa
gw-accounting syslog
interface FastEthernet0/0
description Guestwireless route to internet
ip address ***.**.244.194 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Service-Engine0/0
ip unnumbered Vlan100
service-module ip address 192.168.100.200 255.255.255.0
service-module ip default-gateway 192.168.100.254
no cdp enable
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1/0
description trunk to switch
switchport mode trunk
duplex full
speed 100
interface FastEthernet0/1/1
description voice
switchport access vlan 100
interface FastEthernet0/1/2
shutdown
interface FastEthernet0/1/3
shutdown
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
no cdp enable
interface Vlan1
description Data
ip address 192.168.1.254 255.255.255.0
interface Vlan100
description voice vlan
ip address 192.168.100.254 255.255.255.0
h323-gateway voip bind srcaddr 192.168.100.254
interface Vlan200
description Guestwireless Data
ip address 192.168.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
ip nat inside source list 10 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.100.200 255.255.255.255 Service-Engine0/0
ip route 192.168.200.0 255.255.255.0 FastEthernet0/0
ip radius source-interface Vlan100
access-list 10 permit 192.168.200.0 0.0.0.255

So, I just built this in the lab, and it seemed to work ok. I attached a sparse config, but it does let my host on the GuestWireless get the internet via NAT.
R2#sh ip nat translations vrf GuestWireless
Pro Inside global Inside local Outside local Outside global
icmp 17.12.244.194:5 192.168.200.1:5 1.1.1.1:5 1.1.1.1:5
R2#sh ip route vrf GuestWireless
Routing Table: GuestWireless
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 17.12.244.195 to network 0.0.0.0
17.0.0.0/28 is subnetted, 1 subnets
C 17.12.244.192 is directly connected, FastEthernet0/0
C 192.168.200.0/24 is directly connected, Vlan200
S* 0.0.0.0/0 [1/0] via 17.12.244.195

MPLS PE NAT

I would like to start using NAT on our PE nodes but I cannot get it working. I have a lab setup with two vrf's terminating on the same node. In the lab I would like to NAT an address(Arguments sake a server) in the one VRF (Customer-C) to a unique address so that the other VRF (Customer-B) is able to reach this server via this address. I have the NAT statements in place and if I do a sh ip nat trans the nat shows up as active but if a I do a sh ip nat trans vrf there is nothing.
These are the commands I used:
ip nat pool inside1 60.60.60.1 60.60.60.254 netmask 255.255.255.0
ip nat inside source list test-nat pool inside1 vrf Customer-C
ip nat outside source static 50.50.50.1 60.60.60.1
ip access-list extended test-nat
permit ip 50.50.50.0 0.0.0.255 any
What am I doing wrong ? Any help would be appreciated.

I am not sure how you are attempting to make Customer B communicate with Customer C if you are using separate VRFs for them. There will not be any interaction between them unless they both tegether form a VPN with their routes contained in a single VRF. Once this is done, you can try to troubleshoot the NAT configuration.

IDEA FOR A TECH DOC??

If you could propose a doc title, in other words commission Tech Docs to write a doc, what would it cover? How much detail would you want? How would such a tech doc help you? Join the discussion.

Customers can post examples and other types of content on our DocWiki at http://docwiki.cisco.com
DocWiki is fairly new, and you'll notice that not all product areas are represented yet in DocWiki. Security is one of those areas.
I have passed along to the DocWiki moderators your excellent offer to post "Using IPSEC aware VRF technology" doc, and they are working on getting coverage for Security content on DocWiki.
Thanks so much for your interest in sharing what you have learned!
Linda

CGN Configuration for BGP Router

Hi all,
I am in the middle of NAT configuration testing for new ASR9010 implementation. Customer need NAT feature and ordered ISM for the CGN. Need your help to check our configuration and the testing environtment, because we found this configuration didn't work with this testing environtment. The testing environtment is described below.
The configurations are:
vrf InsideUserNAT
address-family ipv4 unicast
vrf InsideWifiNAT
address-family ipv4 unicast
vrf InsideOfficeNAT
address-family ipv4 unicast
hw-module service cgn location 0/0/CPU0
interface GigabitEthernet0/1/1/0
description NAT Test 1
ipv4 address 10.1.9.129 255.255.255.0
transceiver permit pid all
interface GigabitEthernet0/1/1/1
description NAT Test 2
ipv4 address 100.62.16.5 255.255.255.252
transceiver permit pid all
interface ServiceApp1
description ASVI for InsideUserNAT
vrf InsideUserNAT
ipv4 address 1.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp2
description ASVI for OutsideUserNAT
ipv4 address 2.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp3
description ASVI for InsideOfficeNAT
vrf InsideOfficeNAT
ipv4 address 3.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp4
description ASVI for OutsideOfficeNAT
ipv4 address 4.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp5
description ASVI for InsideWifiNAT
vrf InsideWifiNAT
ipv4 address 5.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp6
description ASVI for OutsideWifiNAT
ipv4 address 6.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceInfra1
ipv4 address 100.10.10.1 255.255.255.252
service-location 0/0/CPU0
router static
address-family ipv4 unicast
100.62.16.0/22 Null0 210
100.62.16.0/24 ServiceApp2
100.62.17.0/24 ServiceApp4
100.62.18.0/24 ServiceApp6
vrf InsideUserNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp1
   10.1.9.0/24 GigabitEthernet0/1/1/0 10.1.9.130
vrf InsideWifiNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp5
vrf InsideOfficeNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp3
service cgn cgn1
service-location preferred-active 0/0/CPU0
service-type nat44 nat1
inside-vrf InsideUserNAT
   map ip one-to-one
   map address-pool 100.62.16.0/24
inside-vrf InsideWifiNAT
   map address-pool 100.62.17.0/24
inside-vrf InsideOfficeNAT
   map address-pool 100.62.18.0/24
protocol udp
   session active timeout 20
end
RP/0/RSP0/CPU0:BGP-NAT#term leng 24
Wed Jul 10 00:08:35.907 UTC
We can reach internet ip address from GigabitEthernet0/1/1/1. ServiceInfra interface and all serviceapp interfaces are up. Need help check this issue because we will do migration by the end of this week.
Thanks in advance and really appreciate your help.

@Nicolas:
The way I change the vrf is by assign different port to each InsideOfficeNat, InsideWifiNat and InsideUserNat. When testing each vrf I move the physical connection. When I was experienced problem using InsideOfficeNat, the Inside to Outside Packet result in "show cgn nat44 nat1 outside-translation protocol udp outside-vrf default outside-address 100.62.16.126 port start 1 end 65535" is counting but not for Outside to Inside Packets. And same symptom with InsideWifiNat.
@Nicolas and Harold:
Actually right now all vrf-inside successful doing translation and we also change the CGN configuration without vrf on physical inside interface. But we found the browsing experiences are very slow and some contents were not loaded successfully. Any idea what happened?
Here the configuration:
ipv4 access-list inside-nat-abf-test
10 permit ipv4 10.3.15.0/24 any nexthop1 vrf InsideOfficeNAT ipv4 3.1.1.2
20 permit ipv4 10.1.9.0/24 any nexthop1 vrf InsideUserNAT ipv4 1.1.1.2
30 permit ipv4 10.5.5.0/24 any nexthop1 vrf InsideWifiNAT ipv4 5.1.1.2
interface GigabitEthernet0/1/1/0
description NAT Test 1
ipv4 address 10.1.9.129 255.255.255.0
transceiver permit pid all
ipv4 access-group inside-nat-abf-test ingress
interface GigabitEthernet0/1/1/1
description NAT Test 2
ipv4 address 10.3.15.1 255.255.255.0
transceiver permit pid all
ipv4 access-group inside-nat-abf-test ingress
interface GigabitEthernet0/1/1/2
description NAT Test 3
ipv4 address 10.5.5.1 255.255.255.0
transceiver permit pid all
ipv4 access-group inside-nat-abf-test ingress
interface ServiceApp1
description ASVI for InsideUserNAT
vrf InsideUserNAT
ipv4 address 1.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp2
description ASVI for OutsideUserNAT
ipv4 address 2.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp3
description ASVI for InsideOfficeNAT
vrf InsideOfficeNAT
ipv4 address 3.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp4
description ASVI for OutsideOfficeNAT
ipv4 address 4.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
interface ServiceApp5
description ASVI for InsideWifiNAT
vrf InsideWifiNAT
ipv4 address 5.1.1.1 255.255.255.252
service cgn cgn service-type nat44
interface ServiceApp6
description ASVI for OutsideWifiNAT
ipv4 address 6.1.1.1 255.255.255.252
service cgn cgn service-type nat44
router static
address-family ipv4 unicast
100.62.16.0/22 Null0 210
100.62.16.0/24 ServiceApp2
100.62.17.0/24 ServiceApp6
100.62.18.0/24 ServiceApp4
vrf InsideUserNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp1
   10.1.9.0/24 vrf default GigabitEthernet0/1/1/0 10.1.9.130
vrf InsideWifiNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp5
   10.5.5.0/24 vrf default GigabitEthernet0/1/1/2 10.5.5.2
vrf InsideOfficeNAT
address-family ipv4 unicast
   0.0.0.0/0 ServiceApp3
   10.3.15.0/24 vrf default GigabitEthernet0/1/1/1 10.3.15.2
service cgn cgn
service-location preferred-active 0/0/CPU0
service-type nat44 nat
inside-vrf InsideUserNAT
   map outsideServiceApp ServiceApp2 address-pool 100.62.16.0/24
   protocol tcp
    mss 1400
   portlimit 65535
   o2i-vrf-override default
inside-vrf InsideWifiNAT
   map outsideServiceApp ServiceApp6 address-pool 100.62.17.0/24
   protocol tcp
    mss 1400
   portlimit 65535
   o2i-vrf-override default
inside-vrf InsideOfficeNAT
   map outsideServiceApp ServiceApp4 address-pool 100.62.18.0/24
   protocol tcp
    mss 1400
   portlimit 65535
   o2i-vrf-override default
end

VRF AWARE NAT

hi, i want to implement vrf aware nat and i want to create a single pool for all vrfs. when the traffic returns is there a way the ios identify which vrf the IP belongs to so i dont have to specify the pool for each vpn whit static routes? Thanks ahead- asanes

Hi,
As I understand you want to integrate NAT with MPLS based VPNs.
Follwing Cisco link should help:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.htm#wp1035671
Cheers,
Sultan.

6500 VRF aware NAT

Hi
In an Enterprise Network we are using CAT6500 SUP720/MSFC3B with VRF Lite.
According to the Software Advisor VRF aware NAT is not supported on the 6k. But I think with the MPLS image it should be supported.
My question: Is it supported and if yes whats the recommended image if i just want to have vrf-lite with vrf aware NAT - no MPLS
cheers
patrick

IF you have a FWSM then you should be good to go for the VRF-Aware NAT. I am not aware of NAT being performed natively on the SUP.
HTH-Cheers,
Swaroop

2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

Hi Nick,
I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [14809800:0]
udp packets: [145107:0]
icmp packets: [20937:12]
I have disabled the ZFW and still see high cpu although it is a little lower.
Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
Anyone have some ideas?

NAT Public Addresses to diffrent VRFs

Hi,
We have a /28 on the outside and want to assign seperate IP addresses with NAT to seperate VRFS, for example:
130.140.131.78 -> NAT -> vrf A -> 192.168.1.1
130.140.131.79 -> NAT -> vrf B -> 192.168.1.1
on so on and so forth....
Is this possible ? I have tried several option but no luck/wisdom so far.
Gr. Gilles.
P.S. Platform are routers 29xx and 39xx

Hi,
what options have you tried already ?
I think that vrf-aware static nat will do the job, something like:
ip nat inside source static 192.168.1.1 130.140.131.78 vrf A
Cheers,
Mikhail.

VRF Aware DVTI and PKI

Hi,
i´ve try to get an dynamic VTI with VRF Aware on the HUB Router and PKI for Authentication.
My Problem is, that Phase1 works fine, but Phase2 doesn´t came up.
debug crypto isakmp
Feb 7 09:46:09.439: ISAKMP:(20175): IPSec policy invalidated proposal with error 32
Feb 7 09:46:09.439: ISAKMP:(20175): phase 2 SA policy not acceptable! (local a.b.c.d remote e.f.g.h)
The proposals are OK.
Here are the config parts.
crypto isakmp profile P1
   ca trust-point VPN
   match certificate CERMAP1
   virtual-template 11
crypto ipsec profile P1
set transform-set AES256
set isakmp-profile P1
interface Virtual-Template11 type tunnel
vrf forwarding <VRF Name>
ip unnumbered Loopback0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel vrf OUTSIDE_VTI
tunnel protection ipsec profile P1
Have any one of you a working configuration with this parameters or an idea, what i can do ?
The Virtual-Template Interface ist up/down and no interface virtual-acces was created.
Many Thanks !!!

This is the output from debug crypto isakmp....
Feb 7 18:41:37.048: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (N) NEW SA
Feb 7 18:41:37.048: ISAKMP: Created a peer struct for a.b.c.d, peer port 500
Feb 7 18:41:37.048: ISAKMP: New peer created peer = 0x3D83A580 peer_handle = 0x8000025B
Feb 7 18:41:37.048: ISAKMP: Locking peer struct 0x3D83A580, refcount 1 for crypto_isakmp_process_block
Feb 7 18:41:37.048: ISAKMP: local port 500, remote port 500
Feb 7 18:41:37.048: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2107EC78
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): processing SA payload. message ID = 0
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP : Scanning profiles for xauth ... RTR2
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 7 18:41:37.048: ISAKMP: encryption AES-CBC
Feb 7 18:41:37.048: ISAKMP: keylength of 256
Feb 7 18:41:37.048: ISAKMP: hash SHA
Feb 7 18:41:37.048: ISAKMP: default group 2
Feb 7 18:41:37.048: ISAKMP: auth RSA sig
Feb 7 18:41:37.048: ISAKMP: life type in seconds
Feb 7 18:41:37.048: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 7 18:41:37.048: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Acceptable atts:life: 0
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 7 18:41:37.048: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 7 18:41:37.048: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer a.b.c.d)
Feb 7 18:41:37.048: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 7 18:41:37.048: ISAKMP:(0)::Started lifetime timer: 86400.
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 7 18:41:37.048: ISAKMP (0): vendor ID is NAT-T v7
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v3
Feb 7 18:41:37.048: ISAKMP:(0): processing vendor id payload
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Feb 7 18:41:37.048: ISAKMP:(0): vendor ID is NAT-T v2
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Feb 7 18:41:37.048: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 7 18:41:37.048: ISAKMP:(0): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_SA_SETUP
Feb 7 18:41:37.048: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.048: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.048: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Feb 7 18:41:37.088: ISAKMP (0): received packet from a.b.c.d dport 500 sport 500 OUTSIDE_VTI (R) MM_SA_SETUP
Feb 7 18:41:37.092: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.092: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(0): processing KE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): processing CERT_REQ payload. message ID = 0
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants a CT_X509_SIGNATURE cert
Feb 7 18:41:37.092: ISAKMP:(20308): peer wants cert issued by cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: Choosing trustpoint VPN as issuer
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is DPD
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): speaking to another IOS box!
Feb 7 18:41:37.092: ISAKMP:(20308): processing vendor id payload
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID seems Unity/DPD but major 28 mismatch
Feb 7 18:41:37.092: ISAKMP:(20308): vendor ID is XAUTH
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:received payload type 20
Feb 7 18:41:37.092: ISAKMP (20308): His hash no match - this node outside NAT
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM3
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP:(20308): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.092: ISAKMP (20308): constructing CERT_REQ for issuer cn=RTR1,o=company,c=de
Feb 7 18:41:37.092: ISAKMP:(20308): sending packet to a.b.c.d my_port 500 peer_port 500 (R) MM_KEY_EXCH
Feb 7 18:41:37.092: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.092: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.092: ISAKMP:(20308):Old State = IKE_R_MM3 New State = IKE_R_MM4
Feb 7 18:41:37.164: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) MM_KEY_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 18:41:37.164: ISAKMP:(20308):Old State = IKE_R_MM4 New State = IKE_R_MM5
Feb 7 18:41:37.164: ISAKMP:(20308): processing ID payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR2.customer.de
protocol : 17
port : 0
length : 30
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): processing CERT payload. message ID = 0
Feb 7 18:41:37.164: ISAKMP:(20308): processing a CT_X509_SIGNATURE cert
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.164: ISAKMP:(20308): peer's pubkey is cached
Feb 7 18:41:37.164: ISAKMP:(0):: peer matches *none* of the profiles
Feb 7 18:41:37.164: ISAKMP:(20308): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): Unable to get DN from certificate!
Feb 7 18:41:37.168: ISAKMP:(20308): processing SIG payload. message ID = 0
Feb 7 18:41:37.168: ISAKMP:(20308): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x2107EC78
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308):SA has been authenticated with a.b.c.d
Feb 7 18:41:37.168: ISAKMP:(20308):Detected port floating to port = 20962
Feb 7 18:41:37.168: ISAKMP: Trying to find existing peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI
Feb 7 18:41:37.168: ISAKMP:(20308):SA authentication status:
authenticated
Feb 7 18:41:37.168: ISAKMP:(20308): Process initial contact,
bring down existing phase 1 and 2 SA's with local e.f.g.h remote a.b.c.d remote port 20962
Feb 7 18:41:37.168: ISAKMP: Trying to insert a peer e.f.g.h/a.b.c.d/20962/OUTSIDE_VTI, and inserted successfully 3D83A580.
Feb 7 18:41:37.168: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 18:41:37.168: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_R_MM5
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308): PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.168: ISAKMP:(20308):My ID configured as IPv4 Addr, but Addr not in Cert!
Feb 7 18:41:37.168: ISAKMP:(20308):Using FQDN as My ID
Feb 7 18:41:37.168: ISAKMP:(20308):SA is doing RSA signature authentication using id type ID_FQDN
Feb 7 18:41:37.168: ISAKMP (20308): ID payload
next-payload : 6
type : 2
FQDN name : RTR1.company.de
protocol : 17
port : 0
length : 26
Feb 7 18:41:37.168: ISAKMP:(20308):Total payload length: 26
Feb 7 18:41:37.168: ISAKMP:(20308): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP:(20308): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer a.b.c.d)
Feb 7 18:41:37.172: ISAKMP (20308): constructing CERT payload for hostname=RTR1.company.de,cn=RTR1,o=company,c=DE
Feb 7 18:41:37.172: ISAKMP:(20308): using the VPN trustpoint's keypair to sign
Feb 7 18:41:37.176: ISKAMP: growing send buffer from 1024 to 3072
Feb 7 18:41:37.176: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) MM_KEY_EXCH
Feb 7 18:41:37.180: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308): IKE->PKI End PKI Session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308): PKI->IKE Ended PKI session state (R) QM_IDLE (peer a.b.c.d)
Feb 7 18:41:37.180: ISAKMP:(20308):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 7 18:41:37.180: ISAKMP:(20308):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Feb 7 18:41:37.208: ISAKMP (20308): received packet from a.b.c.d dport 4500 sport 20962 OUTSIDE_VTI (R) QM_IDLE
Feb 7 18:41:37.208: ISAKMP: set new node -1302683506 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308): processing HASH payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308): processing SA payload. message ID = 2992283790
Feb 7 18:41:37.212: ISAKMP:(20308):Checking IPSec proposal 1
Feb 7 18:41:37.212: ISAKMP: transform 1, ESP_AES
Feb 7 18:41:37.212: ISAKMP: attributes in transform:
Feb 7 18:41:37.212: ISAKMP: encaps is 3 (Tunnel-UDP)
Feb 7 18:41:37.212: ISAKMP: SA life type in seconds
Feb 7 18:41:37.212: ISAKMP: SA life duration (basic) of 3600
Feb 7 18:41:37.212: ISAKMP: SA life type in kilobytes
Feb 7 18:41:37.212: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Feb 7 18:41:37.212: ISAKMP: authenticator is HMAC-SHA
Feb 7 18:41:37.212: ISAKMP: key length is 256
Feb 7 18:41:37.212: ISAKMP:(20308):atts are acceptable.
Feb 7 18:41:37.212: ISAKMP:(20308): IPSec policy invalidated proposal with error 32
Feb 7 18:41:37.212: ISAKMP:(20308): phase 2 SA policy not acceptable! (local e.f.g.h remote a.b.c.d)
Feb 7 18:41:37.212: ISAKMP: set new node -809943149 to QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 573410632, message ID = 3485024147
Feb 7 18:41:37.212: ISAKMP:(20308): sending packet to a.b.c.d my_port 4500 peer_port 20962 (R) QM_IDLE
Feb 7 18:41:37.212: ISAKMP:(20308):Sending an IKE IPv4 Packet.
Feb 7 18:41:37.212: ISAKMP:(20308):purging node -809943149
Feb 7 18:41:37.212: ISAKMP:(20308):deleting node -1302683506 error TRUE reason "QM rejected"

NAT is not working for VRF partially

Hello!
I have a diagram like this:
VRF_A and VRF_B have overlapping addressing plans from series 192.168.x.x.
As routing protocol in both of VRFs adopted RIP (I tried all, but effect much the same).
The closest to PE1 network is 172.16.0.0/24.
PE1:
ip vrf VRF_A rd 65001:1 route-target export 65001:1 route-target import 65001:1ip vrf VRF_B rd 65001:2 route-target export 65001:2 route-target import 65001:2ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overloadip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overloadip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalinterface FastEthernet0/0 ip address 172.16.0.24 255.255.255.0 ip nat outside duplex fullinterface FastEthernet1/0 ip vrf forwarding VRF_A ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
interface FastEthernet4/0 ip vrf forwarding VRF_B ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
When I try ti ping 172.16.0.1 from CE11, CE21 and from VRF_A and VRF_B on PE1 - all if fine! NAT is performed and ping is OK.
But when I tried to ping from others (PE2 and CE21 and CE22) NAT is not performed, I see 192.168.x.x at Internet Router and ping is failled.
I'm in stupor. What could it be??? And how to avoid this situation? Are there "exits"?
I forgot to mention that there is a full connectivity inside both of VRFs. Routing protocols and redistribution work fine.
Kind regard,
Ellad

It's wrong:
PE1interface toward P1 ip nat insideinterface toward P2 ip nat inside
Here is PE1:Current configuration : 2829 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PE1
boot-start-marker
boot-end-marker
no aaa new-model
ip subnet-zero
ip vrf VRF_A
rd 65001:1
route-target export 65001:1
route-target import 65001:1
ip vrf VRF_B
rd 65001:2
route-target export 65001:2
route-target import 65001:2
ip cef
ip audit po max-events 100
mpls label protocol ldp
interface Loopback0
ip address 10.0.2.1 255.255.255.255
interface FastEthernet0/0
ip address 172.16.0.24 255.255.255.0
ip nat outside
duplex full
interface FastEthernet1/0
ip vrf forwarding VRF_A
ip address 192.168.0.2 255.255.255.0
ip nat inside
duplex full
interface FastEthernet2/0 ip address 10.0.23.1 255.255.255.0
duplex full
tag-switching mtu 1512
tag-switching ip
interface FastEthernet3/0
ip address 10.0.24.1 255.255.255.0
duplex full
tag-switching mtu 1512
tag-switching ip
interface FastEthernet4/0
ip vrf forwarding VRF_B
ip address 192.168.0.2 255.255.255.0
ip nat inside
duplex full
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
router rip
version 2
no auto-summary
address-family ipv4 vrf VRF_B
redistribute bgp 65001 metric 1
network 192.168.0.0
no auto-summary
exit-address-family
router bgp 65001
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.5.1 remote-as 65001
neighbor 10.0.5.1 update-source Loopback0
address-family vpnv4
neighbor 10.0.5.1 activate
neighbor 10.0.5.1 next-hop-self
neighbor 10.0.5.1 send-community both
exit-address-family
address-family ipv4 vrf VRF_B
redistribute static
redistribute rip
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf VRF_A
no auto-summary
no synchronization
exit-address-family
ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overload
ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overload
ip classless
ip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
ip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
no ip http server
no ip http secure-server
ip extcommunity-list 1 permit soo 65002:901
access-list 1 deny   10.1.8.1
access-list 1 deny   10.0.8.1
                          access-list 1 deny   10.1.2.1
access-list 1 deny   10.0.2.1
access-list 1 permit any
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 192.168.1.0 0.0.0.255
route-map rm-soo permit 10
set extcommunity soo 65002:901!
route-map rm-soo-action deny 10
match extcommunity 1
route-map rm-soo-action permit 20
match ip address 1
gatekeeper
shutdown
line con 0
exec-timeout 144 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
1.0.5.1 is Loopback0 of P3. It's a route-reflector for all PEs. I study.
And all what you see above - Dynamipses. Internet router - real Ubuntu server.

NAT Aware VRF on cisco7600

Similar Messages

Maybe you are looking for