VRF-aware NAT And Port Forwarding

From Baranoski.ca
Jump to navigation Jump to search

As I mentioned in DMVPN With Internet In A Separate VRF, I'm a fan of keeping Internet traffic in a VRF. What happens if you're using the router as a firewall and need to do some NATs?

Many-To-One NAT

Here is your general NAT, for all inside hosts to use the WAN IP of the router in the INTERNET VRF. Note that you can just use the interface name here, but you do need to specify the VRF; it won't just implicitly figure out which VRF to use, going by the specified interface. 

ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload

UPDATE:

It seems that Cisco changed a behavior at some point. Now the VRF specified needs to be the internal VRF not the external 

ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNAL overload


Port Forwarding In A VRF

If you need to forward ports, the syntax is slightly different. You cannot specify the interface here. You have to specify the WAN IP in order to get the corresponding VRF. 

ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET

UPDATE:

Same as above, the internal VRF needs to be specified. 

ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNAL
Retrieved from "https://baranoski.ca/index.php?title=VRF-aware_NAT_And_Port_Forwarding&oldid=475"