NAT between VRFs

Is it possible to do address translation between VRFs? I see NAT is possible from VRF to global, but haven't find any info about possibility to NAT between VRFs. Is it possible ?

Please refer the following link for more information on NAT Integration with MPLS VPNs.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.pdf

Similar Messages

  • Nat between vrf

    Hi to all, i'm trying to configure nat between vrf.I have a network with multiple vrf and a common vrf where there are some service shared among them.
    I've ip overlapping issue, so i'm trying to use nat aware vrf.
    The shared service is on a vrf also.
    I use route-target import and export to import route between vrf.I've seen nat is working between VRF and global routing, but not between different VRF that already are able to comunicate.
    This is my configuration :
    ip vrf proxy
    rd 500:500
    route-target export 500:500
    route-target export 501:501
    route-target import 500:500
    route-target import 401:401
    ip vrf upa
    rd 300:300
    route-target export 300:300
    route-target export 401:401
    route-target import 300:300
    route-target import 501:501
    ip vrf upa-tv
    rd 1000:1000
    route-target export 1000:1000
    route-target export 401:401
    route-target import 1000:1000
    route-target import 501:501
    mpls label protocol ldp
    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0/0.1
    description interfacccia outside per ip pubblico ipsec
    encapsulation dot1Q 500
    ip address 195.195.195.195 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat enable
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip address 172.31.50.1 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 320
    ip vrf forwarding upa-tv
    ip address 10.4.1.254 255.255.255.0
    interface GigabitEthernet0/1
    description connessa a 6500
    ip address 80.x.x.1 255.255.255.0
    duplex auto
    speed auto
    mpls ip
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    neighbor 80.80.80.2 remote-as 65000
    no auto-summary
    address-family vpnv4
    neighbor 80.80.80.2 activate
    neighbor 80.80.80.2 send-community both
    exit-address-family
    address-family ipv4 vrf upa-tv
    no synchronization
    exit-address-family
    address-family ipv4 vrf upa
    redistribute connected
    no synchronization
    exit-address-family
    address-family ipv4 vrf proxy
    redistribute connected
    no synchronization
    exit-address-family
    ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
    ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    as you can see i export route from vrf upa and upa-tv as RT 401:401 ,and import it in proxy vrf, and in the same way i export route from proxy vrf as RT 501:501 and import it into upa and upa-tv.
    network 10.4.1.0/24 exist in both vrf upa and upa-tv.So i 'd like to nat one of them with another ip address (i tried to use a static translation to be able to reach the same ip address in both vrf). I make some test, and it seems to work when i make a nat from vrf to global, but not work when nat is between vrf (is this supported ?).I tried with NVI and with classic nat command:
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat inside
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip address 172.31.50.1 255.255.255.0
    ip nat outside
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf proxy
    tried also with
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    but it didn't work...
    any suggestion ?
    any help will be appreciated
    Max

    Hi Mohammed, now all works well.
    I understand my error, basically when i tried to ping, i pinged a router on my
    own vrf, because i imported the network, so the packet didn't came across
    interfaces and nat was not in place.Now i tried static host and network
    natting and dymanic natting and all works well.
    here there is a complete working configuration
    ip vrf proxy
    rd 500:500
    route-target export 500:500
    route-target export 501:501
    route-target import 500:500
    route-target import 401:401
    ip vrf upa
    rd 300:300
    route-target export 300:300
    route-target export 401:401
    route-target import 300:300
    route-target import 501:501
    ip vrf upa-tv
    rd 1000:1000
    route-target export 1000:1000
    route-target export 401:401
    route-target import 1000:1000
    route-target import 501:501
    mpls label protocol ldp
    interface GigabitEthernet0/0
    no ip address
    duplex auto
    speed auto
    interface GigabitEthernet0/0.1
    description interfacccia outside per ip pubblico ipsec
    encapsulation dot1Q 500
    ip address 195.195.195.195 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 300
    ip vrf forwarding upa
    ip address 172.31.47.254 255.255.255.0
    ip nat inside
    interface GigabitEthernet0/0.20
    encapsulation dot1Q 310
    ip vrf forwarding proxy
    ip nat outside
    ip address 172.31.50.1 255.255.255.0
    interface GigabitEthernet0/0.10
    encapsulation dot1Q 320
    ip vrf forwarding upa-tv
    ip address 10.4.1.254 255.255.255.0
    interface GigabitEthernet0/1
    description connessa a 6500
    ip address 80.x.x.1 255.255.255.0
    duplex auto
    speed auto
    mpls ip
    router bgp 65000
    no synchronization
    bgp log-neighbor-changes
    neighbor 80.80.80.2 remote-as 65000
    no auto-summary
    address-family vpnv4
    neighbor 80.80.80.2 activate
    neighbor 80.80.80.2 send-community both
    exit-address-family
    address-family ipv4 vrf upa-tv
    no synchronization
    exit-address-family
    address-family ipv4 vrf upa
    redistribute connected
    no synchronization
    exit-address-family
    address-family ipv4 vrf proxy
    redistribute connected
    no synchronization
    exit-address-family
    ip route vrf proxy 169.254.99.12 255.255.255.255 GigabitEthernet0/0.10 172.31.47.254
    ip route vrf upa 10.4.1.0 255.255.255.0 172.31.47.1
    ip nat inside source static 10.4.1.12 169.254.99.12 vrf upa
    Many thanks for the help, now all works well and i understand the way to
    configure it.

  • NAT between two interfaces

    Good day,
    I would ask if it is possible to do NAT between two Interfaces on the same device?
    The problem is that I need access from my inside lan to the management interface on the ASA. We will not manage the ASA over the inside interface.
    This is my current NAT statement:
    nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectional
    This is my PacketTracer output:
    Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.3.0     255.255.255.0  mgmt
    Phase: 2Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group inside in interface insideaccess-list inside extended permit ip 172.20.200.0 255.255.255.0 anyAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 4Type: NATSubtype:Result: ALLOWConfig:nat (inside,mgmt) source static 172.20.200.0-24 192.168.3.222 destination static 192.168.3.0-24 192.168.3.0-24 unidirectionalAdditional Information:Static translate 172.20.200.1/0 to 192.168.3.222/0Phase: 5Type: USER-STATISTICSSubtype: user-statisticsResult: ALLOWConfig:Additional Information:Phase: 6Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 244039047, packet dispatched to next moduleResult:input-interface: insideinput-status: upinput-line-status: upoutput-interface: mgmtoutput-status: upoutput-line-status: upAction: allow
    So NAT seems to be working correct. I can reach other devices behind the mgmt network this is no problem. But I cant access the ASA on the mgmt interface 192.168.3.2.
    Clould it be a problem with the traffic flow? Because in the PacketTracer output I see on Phase1 a Route-Lookup and later on Phase4 the NAT statement.
    Is there a way to get this working?
    Many thanks for your feedback.
    Brgds,
    Markus

    Hi,
    To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
    In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
    I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
    - Jouni

  • NAT between IPIVR (or UCCX) and CUCM?

    Hi,
    i would like to know if NAT between IPIVR (or UCCX) and CUCM is allowed? (with ASA only or also router and switch).
    I didn't find anything about it in UCCX SRND.
    thanks
    [IPIVR v8, CUCM v7.1(5).]

    Hello,
    1) Yes, please use sip trunk as the interface between cme and cucm.
    2) Please note: officially  cme sip trunk video is only supported for cme1—sip trunk---cme2 type set up, but for  basic call you could try to setup cucm to use early media on the sip  trunk. cme by default would use early media and it should work.
    3) For configuration guide on CME Video, you can refer http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevideo.html#wp1027101 
    4) For interfacing CME with CUCM, please remember to configure below command on CME:
           voice service voip
            sip
              asymmetric payload full
    Hope this helps,
    Vishal

  • NAT between VEM & VSM

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"טבלה רגילה";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:Arial;
    mso-bidi-theme-font:minor-bidi;}
    Hi,
    I have a setup with VSM, VEM & VC.
    The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
    From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
    The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat  ip address.
    am i correct ot i need to configure somthing else?
    Thanks,

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"טבלה רגילה";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:Arial;
    mso-bidi-theme-font:minor-bidi;}
    Hi,
    I have a setup with VSM, VEM & VC.
    The setup is L3 configuration between the VSM and VEM and i am trying to configure NAT between them (i have cisco routers in the middle).
    From what I saw, I do not think it can work in a NAT configuration between the VSM to VEM as for the VSM always update the VC of VMWARE what its real ip address (it inform it via application layer rather than on L3 headers, actually in L3 there is a udp encapsulation), then the VC update the VEM about the VSM real IP address and where to open the tunnel.
    The VEM will always try to bring up the Tunnel towards the real ip address of the VSM and not towards the Nat  ip address.
    am i correct ot i need to configure somthing else?
    Thanks,

  • Oracle returns redicrect when there is NAT between client and server

    I have Oracle 8i on Linux sitting behind a firewall/NAT. I have two Apache webservers that run both Tomcat and WebLogic webapps, also behind the NAT. One of them is on the same machine as the Oracle server. Those all connect just fine. I recently had to load a JBoss/Tomcat webapp (no Apache) outside the NAT which needs to talk to the Oracle server. It's using a JDBC driver, I believe calling on this class: oracle.jdbc.driver.OracleDriver. The configured URL is "jdbc:oracle:thin:@localhost:1521:qlink". Using ethereal (A GUI frontend to the packet sniffer tcpdump, which understands the TNS protocol) showed me that this is the connection request being made: "(DESCRIPTION=(CONNECT_DATA=(SID=qlink)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle)))
    (ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))))". I notice it uses SID, where it seems everything else I've analyzed with Ethereal is using SERVICE_NAME. I was first trying to pipe the data through an SSH tunnel. This technique works with all of Oracle's tools that I have tried it with, and with TOAD. I can connect to this Oracle server with the DBA Studio and sqlplus, over an ssh tunnel. But as soon as this JBoss/Tomcat webapp tries, Oracle returns a REDIRECT message. There are two things that strike me as odd: The REDIRECT message returns the hostname of the Oracle server and a nonstandard port; and the JBoss/Tomcat webapp doesn't seem to do anything about it. I has assumed the TNSLSNR forwarded data between 1521 and the appropirate port for requested databse. The port is the same every time, so I made sure that the hostname/port returned was reachable from the client side. But like I said, the client seemed to just ignore it and hang. Getting desparate, I then tried to open up the Oracle ports on the NAT, and use ipchains to restrict what IPs could connect to it, that yielded the same results. I've seen this webapp work with Oracle running on the same machine, both configured identically. (Running Oracle behind the NAT and using SSH tunnels gives the same configuration for JBoss/Tomcat as if I was running Oracle on the same machine)

    I'm pretty uninitiated with Oracle. I don't know how to verify/disprove your guess about the shared server dispatcher, or even what it means. Should I try to pursue the observation that the JDBC client specifies a SID to connect to and everything else specifies a SERVICE_NAME, or is that of little consequence? I'm not sure how to interpret the output from 'lsnrctl serv'. Here's the chunk pertaining to the database in question:
    qlink has 3 service handler(s)
    DISPATCHER established:120 refused:0 current:120 max:254 state:ready
    D000 <machine: sark.unboundtech.com, pid: 15801>
    (ADDRESS=(PROTOCOL=tcp)(HOST=sark.unboundtech.com)(PORT=41714))
    qlink has 3 service handler(s)
    DEDICATED SERVER established:46 refused:0
    LOCAL SERVER
    DISPATCHER established:0 refused:0 current:0 max:254 state:ready
    D001 <machine: sark.unboundtech.com, pid: 15803>
    (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=sark.unboundtech.com)(PORT=41716))(PRESENTATION=oracle.aurora.server.SGiopServer)(SESSION=RAW))
    Presentation: oracle.aurora.server.SGiopServer
    The (ADDRESS=...) is what is returned in the redirect. I created the database with dbassist using the default setup type. I'll have a look at listener.log (the name/location of a log file is actually a question I had but forgot to ask, so thanks), I don't know how to check trace output. The webserver is able to resolve the hostname being returned, and knows how to route to it.
    Localhost is the correct entry. If you've never used SSH tunnels here's a quick rundown. You can tell most SSH clients to listen on an arbitraty port on your machine, and forward data to a remote IP/port from the other side. So from the webserver, I would say to forward localhost:1521 to localhost:1521 on the oracle server. So for sqlplus, for example, I setup tnsnames.ora to route connections to a particular SERVICE_NAME to localhost:1521, which is forwarded through my SSH connection, to localhost:1521 on the Oracle server. This lets gains me two things, all connections look like localhost, making my firewall rules simpler, and I get encryption through SSH (I know Oracle can do encrypted connections, but some clients might not support it, and I don't know how to set it up yet.) I am able to connect to the database over an SSH tunnel using sqlplus, from the webserver (since I ended up installing Oracle on it), so I know the connection is possible.
    After reading that, you might wonder if the hostname:port returned in the redirect were accessible from the web server. They weren't at first, but opening port 1521 and 41714 for sark.unboundtech.com at the NAT, and firewalling requests from IPs other than the webserver, then giving the JDBC config sark.unboundtech.com instead of localhost with an SSH tunnell yielded identical behavior. After recieving the REDIRECT, the JDBC code doesn't seem to do anything except hang, nothing is sent to the location given in the REDIRECT response.

  • NAT Aware VRF on cisco7600

    I am trying to find out wich feature set supports NAT on a VRF for the 7606 chassis with supervisor module WS-SUP720-3BXL.
    thanx

    Hi,
    Using FWSM is definitely an alternate where you dedicate an single instance of vFW to perform NAT for a particular VRF. If this is not acceptable to you, you may consider other platforms like 7200 that can deliver a solution today for this.
    However, for all potential roadmap related discussion I would recommend you to directly get in touch with your account team since this forum may not be the right place to discuss such things.
    Cheers,

  • Howto control/filter traffic between VRF-(lite) using route leaking?

    Hi,
    does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
    Scenario 1:
    I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
    Scenario 2:
    Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
    Kind Regards,
    Thorsten

    Thanks.
    That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
    Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
    Does cisco offer software for managing this?

  • Route Leaking between VRF:s (Shared services)

    Hi,
    I'm a bit confused by this setup that i'm trying to achieve.
    The setup is classic though, I have one VRF for education (EDU), one for administrators (ADM) and then a shared VRF (GEM) like this:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    As you can see, i have also configured an export map for vrf ADM, which i'm then importing routes from.
    the Map looks as follows:
    access-list 1 permit 172.18.254.37
    route-map ADM-to-EDU permit 10
    match ip address 1
    set extcommunity rt 33:33 additive
    A relevant part of the ip setup is as follows:
    interface Loopback3
    ip vrf forwarding EDU
    ip address 3.3.3.3 255.255.255.255
    interface Loopback37
    ip vrf forwarding ADM
    ip address 172.18.254.37 255.255.255.255
    I'm running BGP:
    router bgp 65235
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf GEM  redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf EDU
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    address-family ipv4 vrf ADM
      redistribute connected
      redistribute static
      default-information originate
      no synchronization
    exit-address-family
    Now, the thing is, the leaking is working, i can see the leaked route in the EDU routing table below,
    Router#sh ip route vrf EDU
    Routing Table: EDU
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 172.19.16.5 to network 0.0.0.0
         1.0.0.0/32 is subnetted, 1 subnets
    B       1.1.1.1 is directly connected, 04:53:31, Loopback1
         3.0.0.0/32 is subnetted, 1 subnets
    C       3.3.3.3 is directly connected, Loopback3
         172.19.0.0/32 is subnetted, 1 subnets
    B       172.19.16.5 is directly connected, 02:27:51, Loopback0
         172.18.0.0/32 is subnetted, 1 subnets
    B       172.18.254.37 is directly connected, 00:32:14, Loopback37
    B*   0.0.0.0/0 [20/0] via 172.19.16.5 (GEM), 02:08:42
    but i cannot reach it:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    But if i run "debug ip packet" and the perform another ping, i get this result which i think is a bit weird? to me it seems as if it works.
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    *Mar  1 05:42:40.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:40.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:40.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:40.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:40.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:42.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:42.574: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:42.578: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:42.582: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.586: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:42.590: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:42.590: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:44.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:44.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:44.574: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:44.578: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:44.578: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:46.566: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:46.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.570: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:46.570: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:46.574: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    *Mar  1 05:42:48.562: IP: tableid=2, s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.566: IP: s=3.3.3.3 (local), d=172.18.254.37 (Loopback37), len 100, sending
    *Mar  1 05:42:48.566: IP: tableid=2, s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), routed via RIB
    *Mar  1 05:42:48.570: IP: s=3.3.3.3 (Loopback37), d=172.18.254.37 (Loopback37), len 100, rcvd 3
    *Mar  1 05:42:48.574: IP: tableid=2, s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.574: IP: s=172.18.254.37 (local), d=3.3.3.3 (Loopback0), len 100, sending
    *Mar  1 05:42:48.582: IP: tableid=2, s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), routed via RIB
    *Mar  1 05:42:48.582: IP: s=172.18.254.37 (Loopback0), d=3.3.3.3 (Loopback0), len 100, rcvd local pkt.
    Success rate is 0 percent (0/5)
    Router#
    However, if i add leaking for 3.3.3.3 in ADM vrf like this:
    access-list 2 permit 3.3.3.3
    route-map EDU-to-ADM permit 10
    match ip address 2
    set extcommunity rt  22:22 additive
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22      < - added line
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM         < - added line
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    Then it will work:
    Router#ping vrf EDU 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
    So actually, my big question is, am i doing this the right or wrong way? i'm a bit confused.
    Sorry about the rant, maybe it will clarify some things for others who are confused, or maybe just make it worse!
    Some additional thoughts:
    Why can't i perform this ping, shouldnt this work?
    Router#ping vrf GEM 172.18.254.37
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.18.254.37, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Router#
    bgp info:
    Router#sh ip bgp vpnv4 all
    BGP table version is 79, local router ID is 1.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 1:1 (default for vrf GEM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 2:2 (default for vrf ADM)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
    *> 2.2.2.2/32       0.0.0.0                  0         32768 ?
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Route Distinguisher: 3:3 (default for vrf EDU)
    *> 0.0.0.0          172.19.16.5              0         32768 ?
    *> 1.1.1.1/32       0.0.0.0                  0         32768 ?
       Network          Next Hop            Metric LocPrf Weight Path
    *> 3.3.3.3/32       0.0.0.0                  0         32768 ?
    *> 172.18.254.37/32 0.0.0.0                  0         32768 ?
    *> 172.19.16.5/32   0.0.0.0                  0         32768 ?
    Router#

    Thank you for your answer Aravala.
    Ok, so i think i'm beginning to understand this now after several hours..
    Below is my setup now, and it works, but the thing is that it ONLY works from nets that are actually configured on interfaces.
    What i mean by this is,
    i want to reach ONLY the ip 172.18.254.37(ADM net) from ANY adress on 172.19.0.0/16 (EDU net)
    so naturally i try and change the prefix list to:
    ip prefix-list 1 seq 5 permit 172.18.254.37/32
    ip prefix-list 2 seq 5 permit 172.19.0.0/16
    But this doesnt work, i would be very grateful if someone could explain why and how to get around it..! i dont want to define every subnet on 172.19.0.0/16 and at the same time leave all of the 172.18.254.0/24 network open.
    working setup:
    ip vrf ADM
    description *** ADMIN NET ***
    rd 2:2
    export map ADM-to-EDU
    route-target export 2:2
    route-target import 1:1
    route-target import 22:22
    route-target import 2:2
    ip vrf EDU
    description *** ELEV NET ***
    rd 3:3
    export map EDU-to-ADM
    route-target export 3:3
    route-target import 1:1
    route-target import 33:33
    route-target import 3:3
    ip vrf GEM
    description *** GEMENSAM NET ***
    rd 1:1
    route-target export 1:1
    route-target import 2:2
    route-target import 3:3
    route-target import 1:1
    ip prefix-list 1 seq 5 permit 172.18.254.0/24
    ip prefix-list 2 seq 5 permit 172.19.64.0/21
    route-map ADM-to-EDU permit 10
    match ip address prefix-list 1
    set extcommunity rt  33:33 additive
    route-map EDU-to-ADM permit 10
    match ip address prefix-list 2
    set extcommunity rt  22:22 additive

  • Possiblely a bug - windows update error when using NAT between Hyper-V Virtual Ethernet Adapter

    I'm using SCVMM managing my Hyper-V machine.
    I have three physical network adapter on my hyper-v host as below:
    I'm using SCVMM 2012 SP1 to create two virtual network adapter base on each Realtek controller, Bridge the traffic from the physical adapter, NAT the traffic from the internal virtual adapter to the internet facing virtual adater.
    I can access the internet but i got the windows update error as below
    If i NAT the internal virtual adapter traffic to the WIFI physical  internal facing adapter, windows update is fine.
    I'm using my hyper-v server windows NAT feature.
    I did google a round, it looks like something wrong when you NAT the two virtual network adatper..
    if anyone here can help, that's would be much appreciated.
    2013-03-27    18:38:25:627     868    ba4    AU    ## START ##  AU: Search for updates
    2013-03-27    18:38:25:627     868    ba4    AU    #########
    2013-03-27    18:38:25:627     868    ba4    AU    <<## SUBMITTED ## AU: Search for updates  [CallId = {F6806137-9A32-4476-AF23-38B11881056E} ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}]
    2013-03-27    18:38:25:627     868    934    Agent    *************
    2013-03-27    18:38:25:627     868    934    Agent    ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2013-03-27    18:38:25:627     868    934    Agent    *********
    2013-03-27    18:38:25:627     868    934    Agent      * Online = Yes; Ignore download priority = No
    2013-03-27    18:38:25:627     868    934    Agent      * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation'
    or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2013-03-27    18:38:25:627     868    934    Agent      * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
    2013-03-27    18:38:25:627     868    934    Agent      * Search Scope = {Machine & All Users}
    2013-03-27    18:38:25:627     868    934    Agent      * Caller SID for Applicability: S-1-5-21-759915917-1653667288-1560420946-1106
    2013-03-27    18:38:25:627     868    934    EP    Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SecondaryServiceAuth URL: "http://ds.download.windowsupdate.com/v10/2/microsoftupdate/redir/muauth.cab"
    2013-03-27    18:38:25:627     868    934    EP    Got 7971F918-A847-4430-9279-4A52D1EFE18D redir Client/Server URL: "https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx"
    2013-03-27    18:38:25:627     868    934    Setup    Checking for agent SelfUpdate
    2013-03-27    18:38:25:627     868    934    Setup    Client version: Core: 7.8.9200.16465  Aux: 7.8.9200.16451
    2013-03-27    18:38:25:799     868    934    EP    Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir SelfUpdate URL: "http://fe1.update.microsoft.com/v10/2/windowsupdate/selfupdate"
    2013-03-27    18:38:25:799     868    934    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
    2013-03-27    18:38:25:815     868    934    Misc     Microsoft signed: Yes
    2013-03-27    18:38:25:815     868    934    Misc     Infrastructure signed: Yes
    2013-03-27    18:38:26:002     868    934    Misc    Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
    2013-03-27    18:38:26:002     868    934    Misc     Microsoft signed: Yes
    2013-03-27    18:38:26:002     868    934    Misc     Infrastructure signed: Yes
    2013-03-27    18:38:26:002     868    934    Setup    Skipping SelfUpdate check based on the /SKIP directive in wuident
    2013-03-27    18:38:26:002     868    934    Setup    SelfUpdate check completed.  SelfUpdate is NOT required.
    2013-03-27    18:38:26:440     868    934    PT    +++++++++++  PT: Synchronizing server updates  +++++++++++
    2013-03-27    18:38:26:440     868    934    PT      + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx
    2013-03-27    18:38:28:846     868    934    WS    WARNING: Nws Failure: errorCode=0x803d0014
    2013-03-27    18:38:28:846     868    934    WS    WARNING: Original error code: 0x80072efe
    2013-03-27    18:38:28:846     868    934    WS    WARNING: There was an error communicating with the endpoint at 'https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx'.
    2013-03-27    18:38:28:846     868    934    WS    WARNING: There was an error receiving the HTTP reply.
    2013-03-27    18:38:28:846     868    934    WS    WARNING: The connection with the remote endpoint was terminated.
    2013-03-27    18:38:28:846     868    934    WS    WARNING: The connection with the server was terminated abnormally
    2013-03-27    18:38:28:846     868    934    WS    WARNING: Web service call failed with hr = 80240440.
    2013-03-27    18:38:28:846     868    934    WS    WARNING: Current service auth scheme='None'.
    2013-03-27    18:38:28:846     868    934    WS    WARNING: Proxy List used: '(null)', Bypass List used: '(null)', Last Proxy used: '(null)', Last auth Schemes used: 'None'.
    2013-03-27    18:38:28:846     868    934    WS    FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x80240440
    2013-03-27    18:38:28:846     868    934    PT    WARNING: PTError: 0x80240440
    2013-03-27    18:38:28:846     868    934    PT    WARNING: SyncUpdates_WithRecovery failed.: 0x80240440
    2013-03-27    18:38:28:846     868    934    PT    WARNING: Sync of Updates: 0x80240440
    2013-03-27    18:38:28:846     868    934    PT    WARNING: SyncServerUpdatesInternal failed: 0x80240440
    2013-03-27    18:38:28:846     868    934    Agent      * WARNING: Failed to synchronize, error = 0x80240440
    2013-03-27    18:38:28:862     868    934    Agent      * WARNING: Exit code = 0x80240440
    2013-03-27    18:38:28:862     868    934    Agent    *********
    2013-03-27    18:38:28:862     868    934    Agent    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2013-03-27    18:38:28:862     868    934    Agent    *************
    2013-03-27    18:38:28:862     868    934    Agent    WARNING: WU client failed Searching for update with error 0x80240440
    2013-03-27    18:38:28:862     868    598    AU    >>##  RESUMED  ## AU: Search for updates [CallId = {F6806137-9A32-4476-AF23-38B11881056E} ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}]
    2013-03-27    18:38:28:862     868    598    AU      # WARNING: Search callback failed, result = 0x80240440
    2013-03-27    18:38:28:862     868    598    AU    #########
    2013-03-27    18:38:28:862     868    598    AU    ##  END  ##  AU: Search for updates  [CallId = {F6806137-9A32-4476-AF23-38B11881056E} ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}]
    2013-03-27    18:38:28:862     868    598    AU    #############
    2013-03-27    18:38:28:862     868    598    AU    All AU searches complete.
    2013-03-27    18:38:28:862     868    598    AU      # WARNING: Failed to find updates with error code 80240440
    2013-03-27    18:38:28:862     868    598    AU    AU setting next detection timeout to 2013-03-27 12:38:28
    Ricky

    some more interesting article i've found so far
    http://practicalkungfu.net/2013/03/11/windows-update-error-code-8024402f-on-hyper-v-guests/
    http://faultbucket.ca/2012/08/windows-server-2012-windows-update-error-0x80240440/
    http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread/80548a4e-6c68-4700-a37b-9e22890bd8af
    Ricky

  • Leaking subscribers between VRFs

    Hi,
    I have two VRFs, lets call them internet, and customers_1.
    PPPoE, and IPoE subscribers terminate in the customers_1 VRF, I am wanting to leak these addresses into the internet vrf.
    I have configured the relevant import and export statements, and see the routes, however the routes are advertised into the internet vrf with a next hop of 0.0.0.0 thus, they do not appear in CEF (seen via sh cef vrf interent), and traffic is not forwarded.
    Can anyone let me know how I would achieve this.
    here is the customer_1 vrf routing table (partial):
    B    3.3.3.0/24 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
    B    4.4.4.0/24 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
    S    100.64.0.0/12 is directly connected, 01:11:20, Null0
    C    100.64.0.0/17 is directly connected, 1w3d, Loopback2
    L    100.64.0.1/32 is directly connected, 1w3d, Loopback2
    A   100.64.0.99/32 is directly connected, 1w1d, Bundle-Ether100.1.ip8
    B    103.241.56.0/22 [200/0] via 202.74.33.249 (nexthop in vrf internet), 00:00:08
    A    116.251.122.4/32 is directly connected, 1w1d, Bundle-Ether100.1.pppoe5
    A    116.251.193.254/32 is directly connected, 1w1d, Bundle-Ether100.1.ip7
    here is the internet vrf rotuing table (partial)
    B    3.3.3.0/24 [200/0] via 202.74.33.249, 00:00:02
    B    4.4.4.0/24 [200/0] via 202.74.33.249, 00:00:02
    B    100.64.0.99/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.ip8
    B    116.251.122.4/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.pppoe5
    B    116.251.128.0/18 [200/0] via 202.74.33.249, 00:00:02
    B    116.251.192.0/21 [200/0] via 202.74.33.249, 00:00:02
    B    116.251.193.254/32 [200/0] via 0.0.0.0 (nexthop in vrf customers_1), 00:47:47, Bundle-Ether100.1.ip7
    B    202.74.33.58/32 is directly connected, 00:44:45, Loopback1 (nexthop in vrf customers_1)
    the follwoing  are the vrf export/import statements - i have no route-maps yet, as am just trying to get basic connectivity going first.
    vrf internet
    address-family ipv4 unicast
      import route-target
       65536:200
       65536:100
      export route-target
       65536:200
    vrf customers_1
    address-family ipv4 unicast
      import route-target
       65536:200
       65536:100
      export route-target
       65536:100
    in BGP i have for the customers vrf:
    vrf customers_1
      rd 65536:100
      address-family ipv4 unicast
       redistribute ospf customers_1 match internal external
       redistribute subscriber
    many thanks,
    mike

    Mike,
    I do not have other alternative solutions, the only one i can suggest is by using Access-list forwarding (ABF) on incoming interface from internet. The good thing about this is that you can have one ACE for pool of your customer's ip address. Put summarized destination address and point to the VRF as the destination. It is called ABF VRF select. This cause the ingress packet from internet with destination of vrf customers_1 ip address will be forwarded using VRF customers_1.
    regards,
    rivalino

  • NAT between 2 subnets

    Hello, 
    I have subnets (LAN A and LAN B) on each side of an 819 router:
    G0: IP=10.1.1.3/24 (LAN A)
    F0: IP=172.16.0.3 (LAN B)
    On each of these networks, there is an existing DFGW address programmed into the devices (PLC's) as 10.1.1.1 and 172.16.0.1 respectively.
    I want PLC's on each subnet to talk to each other without sending packets to DFGW's.
    On LAN A, I would like the PLC-A to feel like it is communicating directly with G0 IP address when in fact that packet gets sent out F0 with F0's IP to PLC-B. PLC-B responds to the F0 address (as it is in the same subnet) and the return packet gets Nat's back to the G0 IP address.
    Is this doable? I think it is but I am struggling with implementing both port forwarding and NAt translations (double NAT)?
    Thanks! Look forward to someone with some expertise in this area to help me out.

    Is there any document you are aware of that simplifies some of the nat operations?
    You seem to understand it pretty well to be honest :-)
    There are two types of NAT, dynamic and static. Both your statements are static. This one -
    ip nat inside source static tcp 10.33.5.2 502 10.64.41.196 502 extendable
    needs to be a static because the traffic is arriving on the outside interface. You see this sort of statement quite often in configurations or something like it.
    This one -
    ip nat outside source static 10.64.41.194 10.33.5.80 add-route
    is a lot less commonly used. Ideally what we wanted to do was do a dynamic NAT from outside to inside and change the outside IP to the router's inside interface IP.
    But unfortunately IOS only supports this type of NAT ie. dynamic NAT overload from inside to outside and we are going outside to inside so we couldn't use it.
    It has always been a but annoying that it doesn't because it would have made your setup and others simpler.
    So we had to use the above and you have to add a route because of the reasons I explained in my previous post. It's basically the order that IOS does things in which direction.
    That was why I was asking about which side initiated the connection because if it had been the PLC on the inside we could have used a dynamic NAT statement for it's IP as it went outside because it is supported and a static NAT statement (different from the one you have now) for PLC on the outside.
    But as the flow was always outside to inside we couldn't.
    NAT and what you can do with it can get complicated. And the NAT used on ASA firewalls is a completely different syntax than IOS NAT.
    Here is a link to doc on IOS NAT that is a good overview -
    http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html
    unfortunately in my browser the pictures aren;t showing but they may in yours.
    If you have any specific questions, then please feel free to ask.
    Glad you got it working.
    Jon

  • VSM with NAT Between two ASR routers

    We are new to the ASR platform and IOS XR.  We have two new ASR 9006's with the VSM module.  These two routers are not yet in production so we can play around with them.  We will be moving the NAT functionality from our firewalls to these two routers.  Is it possible for these two routers to share NAT translations?  It is entirely possible that outbound traffic could be NAT'ed out one of these ASR's and the return traffic come through the other ASR.  In this scenario how is the NAT translation handled?  I've not had much luck finding documentation on this specific topic.
    Thanks,
    Marc

    Hi,
    To my understanding its not possible to connect to an ASA interface through interface other than the interface where the IP address is located.
    In other words you are not able to connect from behind "inside" to the IP address of "mgmt" interface
    I will try to find you a link to some Cisco documentation stating this. (I have never really had to find it though)
    - Jouni

  • Problems getting static NAT to work between two internal lans

    Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
    Manual NAT Policies (Section 1)
    1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 3
    2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 0
    interface GigabitEthernet0/0
    nameif inside-ld5
    security-level 100
    ip address 10.20.15.2 255.255.255.0
    interface GigabitEthernet0/6
    nameif office
    security-level 100
    ip address 10.20.11.9 255.255.255.0
    object network inside-ld5
    subnet 10.20.15.0 255.255.255.0
    object network inside-office
    subnet 10.20.11.0 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
    nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

    Hi Kevin,
    because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
    Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
    Best Regards,
    Jan

  • VPN tunnel between 2 RRAS servers, both performing NAT with 2 network connections

    I have a need to configure an IPSEC policy between 2 networks.  Both servers are located at separate offices, are virtual, are 2008 R2 standard,  and only perform the function of NAT between a public IP and the LAN.  They each have 1 network
    adapter with a public address and 1 adapter with an internal LAN address.  I would like to setup an IPSEC policy between these 2 RRAS so that both LAN's can communicate.
    My question's; would this be the best method to get this accomplished?  If not, what are best practices?  Does anyone have documentation for this type of setup?
    I can create a policy between 2 servers, each behind each RRAS vm, but I'd like to keep domain controllers, AD, etc. out of this and not exposed - just have RRAS handle it.

    What you need to do is look for a guide to site to site VPN which you can follow. There are plenty out there of varying degrees of clarity and accuracy.
      The situation briefly is that each site operates normally using its router as a NAT device to provide Internet access for the LAN. In addition, each router is configured to provide a router to router VPN link. Each router has a static route to forward
    traffic for the subnet of the other site through the VPN tunnel.
    The net result is that a client wanting Internet access uses NAT to give it an Internet connection. If instead the client wants to access the other site, the request is sent through the VPN tunnel. There is no confusion because Internet addresses must be
    public and the site addresses are private. This is all transparent to the client because it is all handled by the routers. The client simply sends the packet to the default gateway. 
      The private traffic between sites is encrypted and encapsulated while it is crossing the Internet. The Internet routers see only the public address on the wrapper. The other site sees only the private IP of the packet after it has been unencapsulated
    and decrypted. The two sites behave as if they were linked by an IP router, but the operation is slow because of the delay in getting the packets from site to site.  
    Sorry about the link. http://www.youtube.com/watch?v=m-sakEbVDQ4
    Bill

Maybe you are looking for

  • How do you change the color of sites visited in safari 7.0?

    Hey guys, I was wondering if you could change the color of sites visited from a purplish to any other color? Thank you for your help in advance

  • IMac crash

    As of today my iMac has started randomly crashing. The screen instantly goes black and the music I am listening to just keeps playing the same second of audio over and over until I reset. Is my hardware on the way out :S I can't afford a new mac at t

  • Displayed Name of main Users folder is not correct.

    My current Users folder is displaying as Public yet the target is E:\Users even though no such directory is visible. I have shown hidden files. If I type e:\Users into explorer it directs me to the Public folder. If I try to create a folder called us

  • Something really crazy

    here are two codes. They're basically the same except for one line, System.out.printf("(%d,%d)\n",c,d);which has little to do with what the whole code is supposed to do, which is to randomly erase pixels of an image. The problem is that when you exec

  • Select data with SDO_RELATE in lat long coordinate system(8307) in 10gR2

    Hi all, I have problem with selecting data from table. Data are in lat lon coordinate system 8307. These requests don't return any data: SELECT ISSUE_ID FROM MAP_ISSUES WHERE SDO_FILTER(GEOMETRY, sdo_geometry (2003, 8307, null, sdo_elem_info_array (1