Introduction
In few scenarios customers wish to implement Source NAT in a bidirectional way. It means they wish to perform Source NAT while going from Interface 1 to Interface 2 and vice versa.
Problem
Current Solution is to achieve the same using NVI feature on IOS and it works perfectly as port overload can be done in both directions. The other alternative is to use traditional nat inside and outside interfaces and configure NAT accordingly. However performing port overload while defining "ip nat outside source xxx" is not supported.
Now in IOS XE NVI feature is not supported. Hence we are left with only traditional NAT feature but it is not an scalable solution as we can't do port overload. We need to define pool of "n" IP addresses if we want to perform outside to inside source translation for "n" sources.
Solution
This problem can be resolved by using VASI feature available on XE platform. We need to keep interfaces in different vrf. For instance "Interface 1" can be in vrf A and "interface 2" can be in vrf B or any one of them can be in Global Routing table. At end of the day intention is to keep both interfaces in different Routing Domain.
Please find an sample Configuration to achieve the same below :--
Prerequisite: We need to enable License appxk9 and then only we can create Vasi interfaces.
Topology :--
192.168.1.0/24------Gi0/0/0 (IOS-XE Router) Gi0/0/2-----10.10.10.0/24
We have binded Gi0/0/0 and vasileft1 in vrf A
Gi0/0/2 and vasiright1 in vrf B
Pool K1 is used to NAT traffic coming from vrf A 192.168.1.0/24
Pool K2 is used to NAT traffic coming from vrf B 10.10.10.0/24
We need Routing in both VRF to point to each other for source subnets. I have used default routes but it can be replaced with routes for post NAT source IP's.
vrf definition A ! address-family ipv4 exit-address-family ! vrf definition B ! address-family ipv4 exit-address-family ! license boot level appxk9 interface GigabitEthernet0/0/0 vrf forwarding A ip address 192.168.1.10 255.255.255.0 ip nat inside negotiation auto ! interface GigabitEthernet0/0/2 vrf forwarding B ip address 10.10.10.1 255.255.255.252 ip nat inside negotiation auto ! interface vasileft1 vrf forwarding A ip address 172.16.1.1 255.255.255.0 ip nat outside no keepalive ! interface vasiright1 vrf forwarding B ip address 172.16.2.1 255.255.255.0 ip nat outside no keepalive ! ! ! ip nat pool K1 11.11.11.11 11.11.11.11 prefix-length 24 ip nat pool K2 22.22.22.22 22.22.22.22 prefix-length 24 ip nat inside source list 100 pool K1 vrf A overload ip nat inside source list 101 pool K2 vrf B overload ip route vrf A 0.0.0.0 0.0.0.0 vasileft1 ip route vrf B 0.0.0.0 0.0.0.0 vasiright1 ! ! access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
No comments:
Post a Comment