Difference between revisions of "VRF-aware NAT And Port Forwarding"
(Created page with "As I mentioned in DMVPN With Internet In A Separate VRF, I'm a fan of keeping Internet traffic in a VRF. What happens if you're using the router as a firewall and need to...") |
|||
| Line 7: | Line 7: | ||
ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload | ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload | ||
</PRE> | </PRE> | ||
| + | |||
| + | UPDATE: | ||
| + | |||
| + | It seems that Cisco changed a behavior at some point. Now the VRF specified needs to be the '''internal''' VRF not the external | ||
| + | |||
| + | <PRE> | ||
| + | ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNAL overload | ||
| + | </PRE> | ||
| + | |||
==Port Forwarding In A VRF== | ==Port Forwarding In A VRF== | ||
| Line 13: | Line 22: | ||
<PRE> | <PRE> | ||
ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET | ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET | ||
| + | </PRE> | ||
| + | |||
| + | UPDATE: | ||
| + | |||
| + | Same as above, the internal VRF needs to be specified. | ||
| + | |||
| + | <PRE> | ||
| + | ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNAL | ||
</PRE> | </PRE> | ||
Latest revision as of 13:07, 17 July 2020
As I mentioned in DMVPN With Internet In A Separate VRF, I'm a fan of keeping Internet traffic in a VRF. What happens if you're using the router as a firewall and need to do some NATs?
Many-To-One NAT
Here is your general NAT, for all inside hosts to use the WAN IP of the router in the INTERNET VRF. Note that you can just use the interface name here, but you do need to specify the VRF; it won't just implicitly figure out which VRF to use, going by the specified interface.
ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload
UPDATE:
It seems that Cisco changed a behavior at some point. Now the VRF specified needs to be the internal VRF not the external
ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNAL overload
Port Forwarding In A VRF
If you need to forward ports, the syntax is slightly different. You cannot specify the interface here. You have to specify the WAN IP in order to get the corresponding VRF.
ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET
UPDATE:
Same as above, the internal VRF needs to be specified.
ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNAL