Dear sir ,
I tried with static NAT (inside , outside , upside , downside.... (-:
) , did not try dynamic nat though , but did not work. Then i thought it
has some thing to do with labeled packets can not be NATed due to order of
nating and pop. ( i could be wrong)
I could not test this config yet ,
So to get to the point , i will have to match the traffic in order to NAT
in MPLS interfaces ?
Or am i still young to post in the GS (-:
Regards
Bernard Stephen
On Tue, Nov 22, 2011 at 12:13 AM, Narbik Kocharians <narbikk_at_gmail.com>wrote:
> Raj,
>
> Step 1 - The connection on the PE (Let's say R3) that faces the CE is
> configured as Nat Inside. The connection on the PE that faces the cloud
> (The P) is configured as Nat Outside.
>
> Step 2 - A static route is configured on the PE for NLRI
>
> Step 3 - An ACL is configured to identify the communication between inside
> sources and registered IP addresses (5.5.5.0/24 in this case).
>
> Step 4 - A pool is configured for 1.1.1.2 - 1.1.1.5
>
> Step 5 - The inside sources that are referenced in the ACL are mapped to
> the pool.
>
> NOW.....up to this point the hosts are translated and they can take any IP
> address from the range. But the question is what about the server? The
> server MUST have a static Nat translation so it is always mapped to the
> same IP address. So a static nat translation is configured for the server-1.
>
> NOW....which part is confusing you?
>
>
> On Sun, Nov 20, 2011 at 11:21 PM, HEMANTH RAJ <hemanthrj_at_gmail.com> wrote:
>
>> Hi Narbik
>>
>> In ur configuration , U have already configured a static mapping for the
>> source ip 10.1.1.1 to 1.1.1.1 . Then why are you creating a pool and
>> attaching it to the source list.May be i am wrong. Educate me if i am
>> missing something :)
>>
>> Can u explain me that pool creating and access list creation which u have
>> done in ur config.
>>
>> On Mon, Nov 21, 2011 at 11:27 AM, Bernard Steven <buny.steven_at_gmail.com>wrote:
>>
>>> Thank you Sir !
>>>
>>> Realy appriciate , will get a window to do it tomorrow night. Would
>>> like
>>> to test it some where before deploying.
>>>
>>> Just one question , if an interface is lable switching , can the NAT
>>> statements look for the source / destinations inside the packet ? or is
>>> it
>>> because of PHP ? Bugging me for some time , the VPN traffic should carry
>>> the mp bgp tag till the egress router , so does nat takes place after
>>> pop ?
>>>
>>> May be i more reading....
>>>
>>> Thanks a lot
>>>
>>> On Mon, Nov 21, 2011 at 1:22 PM, Narbik Kocharians <narbikk_at_gmail.com
>>> >wrote:
>>>
>>> > Sorry for a long post, and please excuse the typos.
>>> >
>>> > I think this is what you are looking for and i hope it helps
>>> >
>>> > *Lab Setup:*
>>>
>>> >
>>> > R1 (A CE router) is in SITE-1, and R5 (Another CE router) is
>>> configured in
>>> > SITE-2
>>> >
>>> > R1 (CE) and R3 (PE) are connected via their S0/1 interfaces.
>>> >
>>> > R3 (PE) and R2 (P) are connected via their F0/0 interface.
>>> >
>>> > R2 (P) and R4 (The other PE) are connected via their F0/1 interface.
>>> >
>>> > R4 (PE) and R5 (The other CE) are connected via their S0/1 interface.
>>> >
>>> > *IP addressing:*
>>>
>>> >
>>> > R1 (CE) and R5 (The other CE) have the following Loopback interfaces:
>>> >
>>> > *Lo1 10.1.1.1/32 **` Server-1*
>>> >
>>> > *Lo2 10.1.1.2/32 **` Host-2*
>>> >
>>> > *Lo3 10.1.1.3/32 **` Host-3*
>>> >
>>> > *Lo4 10.1.1.4/32 **` Host-4*
>>> >
>>> > *Lo5 10.1.1.5/32 **` Host-5** *
>>> >
>>> > *The connection between the routers:*
>>> >
>>> > *(R1) S0/1 100.1.13.1/24 -------------- 100.1.13.3/24 ---- S0/1
>>> (R3)*
>>> >
>>> > *(R3) F0/0 100.1.23.2/24 -------------- 100.1.23.3/24 ---- F0/0
>>> (R2)*
>>> > *(R2) F0/1 100.1.24.2/24 --------------
>>> > 100.1.24.4/24 ---- F0/1 (R4)*
>>> > *(R4) S0/1 100.1.45.4/24 --------------
>>> > 100.1.45.5/24 ---- S0/1 (R5)*
>>> >
>>> > *IP Address of the loopback interfaces:*
>>> >
>>> > *R2 s Loopback 0 = 2.2.2.2/32*
>>> >
>>> > *R3 s Loopback 0 = 3.3.3.3/32*
>>> > *R4 s Loopback 0 = 4.4.4.4/32 *
>>> >
>>> > **
>>> > *Task 1*
>>> > **
>>>
>>> > Configure OSPF on the core routers (R2, R3 and R4); you should run OSPF
>>> > area 0 on the F0/0 interfaces of R2 and R3, the F0/1 interfaces of R2
>>> and
>>> > R4, and the Loopback 0 interfaces of R2, R3 and R4. The CE routers, R1
>>> and
>>> > R5 should be configured with a static default route pointing to their
>>> next
>>> > hop router.
>>> >
>>> >
>>> > * *
>>> >
>>> > *To configure the CE routers:*
>>> >
>>> >
>>> >
>>> > *On R1*
>>> >
>>> >
>>> >
>>> > R1(config)#*IP route 0.0.0.0 0.0.0.0 100.1.13.3*
>>> >
>>> >
>>> >
>>> > *On R5*
>>> >
>>> >
>>> >
>>> > R5(config)#*IP route 0.0.0.0 0.0.0.0 100.1.45.4*
>>> >
>>> > * *
>>> >
>>> > *To configure the core routers:*
>>> >
>>> >
>>> >
>>> > *On R2*
>>> >
>>> >
>>> >
>>> > R2(config)#*Router ospf 1*
>>> >
>>> > R2(config-router)#*Netw 2.2.2.2 0.0.0.0 area 0*
>>> >
>>> > R2(config-router)#*Netw 100.1.23.2 0.0.0.0 area 0*
>>> >
>>> > R2(config-router)#*Netw 100.1.24.2 0.0.0.0 area 0*
>>> >
>>> > * *
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3(config)#*Router ospf 1*
>>> >
>>> > R3(config-router)#*Netw 100.1.23.3 0.0.0.0 area 0*
>>> >
>>> > R3(config-router)#*Netw 3.3.3.3 0.0.0.0 area 0*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4(config)#*Router ospf 1*
>>> >
>>> > R4(config-router)#*Netw 4.4.4.4 0.0.0.0 area 0*
>>> >
>>> > R4(config-router)#*Netw 100.1.24.4 0.0.0.0 area 0*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R2*
>>> >
>>> > * *
>>> >
>>> > R2#*Show ip ospf neighbor*
>>> >
>>> >
>>> >
>>> > *Neighbor ID Pri State Dead Time Address
>>> Interface
>>>
>>> > *
>>> >
>>> > 4.4.4.4 1 FULL/BDR 00:00:33 100.1.24.4
>>> > FastEthernet0/1
>>> >
>>> > 3.3.3.3 1 FULL/BDR 00:00:33 100.1.23.3
>>> > FastEthernet0/0
>>> >
>>> >
>>> >
>>> > R2#*Show ip route ospf | Inc O*
>>>
>>> >
>>> > * *
>>> >
>>> > O 3.3.3.3 [110/2] via 100.1.23.3, 00:10:53, FastEthernet0/0
>>> >
>>> > O 4.4.4.4 [110/2] via 100.1.24.4, 00:10:35, FastEthernet0/1
>>> >
>>> > *Task 2*
>>> >
>>> > **
>>>
>>> >
>>> > Configure LDP between the core routers. These routers should use their
>>> > Loopback0 interface as their LDP router-id.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > *On R2, R3 and R4*
>>> >
>>> >
>>> >
>>> > Rx(config)#*Mpls label protocol ldp*
>>> >
>>> > Rx(config)#*Mpls ldp router-id Lo0*
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3(config)#*Int F0/0*
>>> >
>>> > R3(config-if)#*MPLS IP*
>>> >
>>> >
>>> >
>>> > *On R2*
>>> >
>>> >
>>> >
>>> > R2(config)#*Int F0/0*
>>> >
>>> > R2(config-if)#*MPLS IP*
>>> >
>>> >
>>> >
>>> > R2(config-if)#*Int F0/1*
>>> >
>>> > R2(config-if)#*MPLS IP*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4(config)#*Int F0/1*
>>> >
>>> > R4(config-if)#*MPLS IP*
>>> >
>>> >
>>> >
>>> > *To Verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R2*
>>> >
>>> >
>>> >
>>> > R2#*Show mpls ldp neighbor***
>>> >
>>> >
>>> >
>>> > *Peer **LDP** Ident: 4.4.4.4:0*; Local LDP Ident 2.2.2.2:0
>>>
>>> >
>>> > TCP connection: 4.4.4.4.60890 - 2.2.2.2.646
>>> >
>>> > State: Oper; Msgs sent/rcvd: 9/10; Downstream
>>> >
>>> > Up time: 00:01:05
>>> >
>>> > LDP discovery sources:
>>> >
>>> > FastEthernet0/1, Src IP addr: 100.1.24.4
>>> >
>>> > Addresses bound to peer LDP Ident:
>>> >
>>> > 100.1.24.4 100.1.45.4 4.4.4.4
>>> >
>>> > *Peer **LDP** Ident: 3.3.3.3:0*; Local LDP Ident 2.2.2.2:0
>>>
>>> >
>>> > TCP connection: 3.3.3.3.18225 - 2.2.2.2.646
>>> >
>>> > State: Oper; Msgs sent/rcvd: 9/10; Downstream
>>> >
>>> > Up time: 00:01:00
>>> >
>>> > LDP discovery sources:
>>> >
>>> > FastEthernet0/0, Src IP addr: 100.1.23.3
>>> >
>>> > Addresses bound to peer LDP Ident:
>>> >
>>> > 100.1.23.3 100.1.13.3 3.3.3.3
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> > * *
>>> >
>>> > R3#*Show mpls forwarding-table *
>>> >
>>> > * *
>>> >
>>> > *Local Outgoing Prefix Bytes tag Outgoing Next Hop *
>>> >
>>> > *tag tag or VC or Tunnel Id switched interface *
>>>
>>> >
>>> > 16 Pop tag 2.2.2.2/32 0 Fa0/0 100.1.23.2
>>> >
>>> > 17 Pop tag 100.1.24.0/24 0 Fa0/0 100.1.23.2
>>> >
>>> > 18 17 4.4.4.4/32 0 Fa0/0 100.1.23.2
>>> >
>>> >
>>> >
>>> > *Task 3*
>>> >
>>> > **
>>>
>>> >
>>> > Configure MP-BGP between R3 and R4 as they represent the Provider Edge
>>> > routers in this topology in AS 100. The ONLY BGP peering relationship
>>> > should be VPNV4. These two neighbors should use their Lo0 interfaces
>>> for
>>> > their peering.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3(config)#*Router bgp 100*
>>> >
>>> > R3(config-router)#*Neighbor 4.4.4.4 remote-as 100*
>>> >
>>> > R3(config-router)#*Neighbor 4.4.4.4 update-source Lo0*
>>> >
>>> >
>>> >
>>> > R3(config-router)#*Address-family VPNV4 Unicast*
>>> >
>>> > R3(config-router-af)#*Neighbor 4.4.4.4 Act*
>>> >
>>> > R3(config-router-af)#*Neighbor 4.4.4.4 Send-community Ext*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4(config)#*Router bgp 100*
>>> >
>>> > R4(config-router)#*Neighbor 3.3.3.3 remote-as 100*
>>> >
>>> > R4(config-router)#*Neighbor 3.3.3.3 update-source Lo0*
>>> >
>>> >
>>> >
>>> > R4(config-router)#*Address-family VPNV4 Unicast*
>>> >
>>> > R4(config-router-af)#*Neighbor 3.3.3.3 Act*
>>> >
>>> > R4(config-router-af)#*Neighbor 3.3.3.3 Send-community Ext*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R3***
>>> >
>>> >
>>> >
>>> > R3#*Show ip bgp vpnv4 all Summary | B Neigh*
>>> >
>>> > * *
>>> >
>>> > *Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>>> > State/PfxRcd*
>>>
>>> >
>>> > 4.4.4.4 4 100 8 8 1 0 0 00:02:02
>>> > 0
>>> >
>>> >
>>> >
>>> > *Task 4*
>>> >
>>> > **
>>>
>>> >
>>> > Configure the following VRFs, RDs and route-targets on the PE routers:
>>> >
>>> >
>>> >
>>> > *Router*
>>> >
>>> > *VRF Name*
>>> >
>>> > *RD*
>>> >
>>> > *Route-Target*
>>> >
>>> > *Interface*
>>>
>>> >
>>> > R3
>>> >
>>> > aaa
>>> >
>>> > 1:10
>>> >
>>> > Route-target Both 151:100
>>> >
>>> > S0/1
>>> >
>>> > R4
>>> >
>>> > bbb
>>> >
>>> > 2:20
>>> >
>>> > Route-target Both 151:100
>>> >
>>> > S0/1
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3(config)#*IP VRF aaa*
>>> >
>>> > R3(config-vrf)#*RD 1:10*
>>> >
>>> > R3(config-vrf)#*Route-target Both 151:100*
>>> >
>>> >
>>> >
>>> > R3(config)#*Int S0/1*
>>> >
>>> > R3(config-if)#*IP VRF Forwarding aaa*
>>> >
>>> > R3(config-if)#*IP address 100.1.13.3 255.255.255.0*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4(config)#*IP VRF bbb*
>>> >
>>> > R4(config-vrf)#*RD 2:20*
>>> >
>>> >
>>> >
>>> > R4(config-vrf)#*Route-target Both 151:100*
>>> >
>>> >
>>> >
>>> > R4(config)#*Int S0/1*
>>> >
>>> > R4(config-if)#*IP VRF Forwarding bbb*
>>> >
>>> > R4(config-if)#*IP address 100.1.45.4 255.255.255.0*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R3*
>>> >
>>> > * *
>>> >
>>> > R3#*Show ip vrf detail *
>>> >
>>> >
>>> >
>>> > *VRF aaa; default RD 1:10*; default VPNID <not set>
>>> >
>>> > *Interfaces:*
>>> >
>>> > * Se0/1 *
>>>
>>> >
>>> > Connected addresses are not in global routing table
>>> >
>>> > *Export VPN route-target communities*
>>> >
>>> > * RT:151:100 *
>>> >
>>> > * Import VPN route-target communities*
>>> >
>>> > * RT:151:100 *
>>>
>>> >
>>> > No import route-map
>>> >
>>> > No export route-map
>>> >
>>> > VRF label distribution protocol: not configured
>>> >
>>> > VRF label allocation mode: per-prefix
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> > * *
>>> >
>>> > R4#*Show ip vrf detail*
>>> >
>>> >
>>> >
>>> > *VRF bbb; default RD 2:20*; default VPNID <not set>
>>> >
>>> > *Interfaces:*
>>> >
>>> > * Se0/1 *
>>>
>>> >
>>> > Connected addresses are not in global routing table
>>> >
>>> > *Export VPN route-target communities*
>>> >
>>> > * RT:151:100 *
>>> >
>>> > * Import VPN route-target communities*
>>> >
>>> > * RT:151:100*
>>>
>>> >
>>> > No import route-map
>>> >
>>> > No export route-map
>>> >
>>> > VRF label distribution protocol: not configured
>>> >
>>> > VRF label allocation mode: per-prefix
>>> >
>>> >
>>> >
>>> > *Task 5*
>>> >
>>> > **
>>>
>>> >
>>> > Configure the routers such that the hosts in Site-1 can access the
>>> > server-1 in Site 2 and vice versa. You should configure the CE routers
>>> (R1
>>> > and R5). Use the following translation chart:
>>> >
>>> >
>>> >
>>> > *Rouer*
>>> >
>>> > *Inside Local*
>>> >
>>> > *Inside Global*
>>> >
>>> > *R1*
>>> >
>>> > *10.1.1.1*
>>> >
>>> > *10.1.1.2 10.1.1.5*
>>> >
>>> > *1.1.1.1*
>>> >
>>> > *1.1.1.2 1.1.1.5*
>>>
>>> >
>>> > R5
>>> >
>>> > 10.1.1.1
>>> >
>>> > 10.1.1.2 10.1.1.5
>>> >
>>> > 5.5.5.1
>>> >
>>> > 5.5.5.2 5.5.5.5
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > *A static route for network 1.1.1.0 /24 is configured and redistributed
>>> > into the vrf aaa on R3. *
>>> >
>>> > *This is done to provide reachability to the hosts connected to R5.*
>>> >
>>> > * *
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3(config)#*IP Route** vrf aaa 1.1.1.0 255.255.255.0 100.1.13.1*
>>> >
>>> >
>>> >
>>> > R3(config)#*Router bgp 100*
>>> >
>>> > R3(config-router)#*Address-family IPv4 vrf aaa*
>>> >
>>> > R3(config-router-af)#*Redistribute Static*
>>> >
>>> > R3(config-router-af)#*Redistribute connected*
>>> >
>>> >
>>> >
>>> > *The same is configured on R4:*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4(config)#*IP Route** vrf bbb 5.5.5.0 255.255.255.0 100.1.45.5*
>>> >
>>> >
>>> >
>>> > R4(config)#*Router bgp 100*
>>> >
>>> > R4(config-router)#*Address-family IPv4 vrf bbb*
>>> >
>>> > R4(config-router-af)#*Redistribute Static*
>>> >
>>> > R4(config-router-af)#*Redistribute Connected*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> > R4#*Show ip route vrf bbb | b Gate*
>>>
>>> >
>>> >
>>> >
>>> > Gateway of last resort is not set
>>> >
>>> >
>>> >
>>> > 1.0.0.0/24 is subnetted, 1 subnets
>>> >
>>> > *B 1.1.1.0 [200/0] via 3.3.3.3, **00:02:17***
>>>
>>> >
>>> > 100.0.0.0/24 is subnetted, 2 subnets
>>> >
>>> > C 100.1.45.0 is directly connected, Serial0/1
>>> >
>>> > B 100.1.13.0 [200/0] via 3.3.3.3, 00:02:17
>>> >
>>> > 5.0.0.0/24 is subnetted, 1 subnets
>>> >
>>> > S 5.5.5.0 [1/0] via 100.1.45.5
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3#*Show ip route vrf aaa | b Gate*
>>>
>>> >
>>> >
>>> >
>>> > Gateway of last resort is not set
>>> >
>>> >
>>> >
>>> > 1.0.0.0/24 is subnetted, 1 subnets
>>> >
>>> > S 1.1.1.0 [1/0] via 100.1.13.1
>>> >
>>> > 100.0.0.0/24 is subnetted, 2 subnets
>>> >
>>> > B 100.1.45.0 [200/0] via 4.4.4.4, 00:02:06
>>> >
>>> > C 100.1.13.0 is directly connected, Serial0/1
>>> >
>>> > 5.0.0.0/24 is subnetted, 1 subnets
>>> >
>>> > *B 5.5.5.0 [200/0] via 4.4.4.4, **00:02:06***
>>> >
>>> >
>>> >
>>> > *On R1*
>>> >
>>> >
>>> >
>>> > *The **NAT** Inside and Outside interfaces are defined:*
>>> >
>>> >
>>> >
>>> > R1(config)#*Int range Lo0 4*
>>> >
>>> > R1(config-if)#*IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R1(config)#*Int S0/1*
>>> >
>>> > R1(config-if)#*IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > *The following command translates the inside source IP address of
>>> > 10.1.1.1 to 1.1.1.1 *
>>> >
>>> > *IP address:*
>>> >
>>> >
>>> >
>>> > R1(config)#*IP **NAT** inside source static 10.1.1.1 1.1.1.1*
>>> >
>>> >
>>> >
>>> > *An access-list is configured to identify the communication between
>>> > inside sources with *
>>> >
>>> > *destination IP addresses:*
>>> >
>>> >
>>> >
>>> > R1(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 5.5.5.0
>>> 0.0.0.255
>>> > *
>>> >
>>> >
>>> >
>>> > *The following configures a **NAT** pool that the inside hosts can
>>> use:*
>>> >
>>> >
>>> >
>>> > R1(config)#*IP Nat pool TST 1.1.1.2 1.1.1.5 Prefix-length 24 type
>>> > match-host*
>>> >
>>> > * *
>>> >
>>> > *The last step is to configure the inside sources identified in
>>> **ACL**100
>>> to use the
>>> > **NAT** pool *
>>> >
>>> > *called TST :*
>>> >
>>> >
>>> >
>>> > R1(config)#*IP **NAT** inside source list 100 pool TST*
>>> >
>>> >
>>> >
>>> > *On R5*
>>> >
>>> >
>>> >
>>> > R5(config-if)#*Int range Lo0 - 4*
>>> >
>>> > R5(config-if)#*IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R5(config)#*Int S0/1*
>>> >
>>> > R5(config-if)#*IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > R5(config)#*IP **NAT** inside source static 10.1.1.1 5.5.5.1*
>>> >
>>> >
>>> >
>>> > R5(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.0
>>> 0.0.0.255
>>> > *
>>> >
>>> >
>>> >
>>> > R5(config)#*IP Nat pool TST 1.1.1.2 1.1.1.5 Prefix-length 24*
>>> >
>>> > R5(config)#*IP **NAT** inside source list 100 pool TST*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R1*
>>> >
>>> >
>>> >
>>> > R1#*Ping** 5.5.5.1 source Lo0*
>>>
>>> >
>>> >
>>> >
>>> > Type escape sequence to abort.
>>> >
>>> > Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
>>> >
>>> > Packet sent with a source address of 10.1.1.1
>>> >
>>> > *!!!!!*
>>> >
>>> > *Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/60
>>> ms*
>>> >
>>> >
>>> >
>>> > R1#*Show ip nat translations *
>>> >
>>> >
>>> >
>>> > *Pro Inside global Inside local Outside local Outside
>>> > global*
>>>
>>> >
>>> > icmp 1.1.1.1:2 10.1.1.1:2 5.5.5.1:2 5.5.5.1:2
>>> >
>>> > --- 1.1.1.1 10.1.1.1 --- ---
>>> >
>>> > * *
>>> >
>>> > R1#*Ping** 5.5.5.1 Source Lo4*
>>>
>>> >
>>> >
>>> >
>>> > Type escape sequence to abort.
>>> >
>>> > Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
>>> >
>>> > Packet sent with a source address of 10.1.1.2
>>> >
>>> > *!!!!!*
>>> >
>>> > *Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60
>>> ms*
>>> >
>>> >
>>> >
>>> > R1#*Sh ip nat translation *
>>> >
>>> >
>>> >
>>> > *Pro Inside global Inside local Outside local Outside
>>> > global*
>>> >
>>> > icmp 1.1.1.1:7 10.1.1.1:7 5.5.5.1:7 5.5.5.1:7
>>>
>>> >
>>> > --- 1.1.1.1 10.1.1.1 --- ---
>>> >
>>> > icmp 1.1.1.5:8 10.1.1.5:8 5.5.5.5:8 5.5.5.5:8
>>> >
>>> > --- 1.1.1.5 10.1.1.5 --- ---
>>> >
>>> >
>>> >
>>> > *Task 6*
>>> >
>>> > **
>>> >
>>> > **Remove the configuration from the previous step and configure the PE
>>> > routers to accomplish the same task.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > *On R1*
>>> >
>>> >
>>> >
>>> > R1(config)#*Int range Lo0 - 4*
>>> >
>>> > R1(config-if-range)#*NO** IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R1(config)#*Int S0/1*
>>> >
>>> > R1(config-if)#*NO** IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > R1(config)#*No** Access-list 100*
>>> >
>>> > R1(config)#*NO** ip nat inside source static 10.1.1.1 1.1.1.1*
>>> >
>>> > R1(config)#*NO** ip nat inside source list 100 pool TST*
>>> >
>>> > R1(config)#*NO** ip nat pool TST 1.1.1.2 1.1.1.5 prefix-length 24*
>>> >
>>> >
>>> >
>>> > *On R5*
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > R5(config)#*Int range Lo0 - 4*
>>> >
>>> > R5(config-if-range)#*NO** IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R5(config)#*Int S0/1*
>>> >
>>> > R5(config-if)#*NO** IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > R5(config)#*NO** access-list 100*
>>> >
>>> > R5(config)#*NO** ip nat inside source static 10.1.1.1 5.5.5.1*
>>> >
>>> > R5(config)#*NO** ip nat inside source list 100 pool TST*
>>> >
>>> > R5(config)#*NO** ip nat pool TST 1.1.1.2 1.1.1.5 prefix-length 24*
>>> >
>>> >
>>> >
>>> > *NOTE: The configuration on the PE is identical to the configuration
>>> that
>>> > was performed *
>>> >
>>> > *on the CEs with one difference; on the PEs the VRF MUST be
>>> referenced.*
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > *The inside and outside interfaces are defined; the interface facing
>>> the
>>> > CE MUST be defined *
>>> >
>>> > *as inside, and the interface facing the core must be defined as
>>> outside.*
>>> >
>>> >
>>> >
>>> > R3(config)#*Int S0/1*
>>> >
>>> > R3(config-if)#*IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R3(config)#*Int F0/0*
>>> >
>>> > R3(config-if)#*IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > *A Static **NAT** is configured to translate any traffic with a source
>>> IP
>>> > address of 10.1.1.1 to *
>>> >
>>> > *1.1.1.1 IP address IN VRF aaa :*
>>> >
>>> >
>>> >
>>> > R3(config)#*IP **NAT** inside source static 10.1.1.1 1.1.1.1 vrf aaa*
>>> >
>>> >
>>> >
>>> > *An access-list is configured to identify the communication between
>>> > inside sources with *
>>> >
>>> > *destination IP addresses:*
>>> >
>>> > * *
>>> >
>>> > R3(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 5.5.5.0
>>> 0.0.0.255
>>> > *
>>> >
>>> >
>>> >
>>> > *A **NAT** pool called TST is configured:*
>>> >
>>> >
>>> >
>>> > R3(config)#*IP **NAT** Pool TST 1.1.1.2 1.1.1.5 Prefix-length 24 Type
>>> > match-host*
>>> >
>>> > * *
>>> >
>>> > *The last step is to configure the inside sources identified in
>>> **ACL**100
>>> to use the
>>> > **NAT** pool called*
>>> >
>>> > * TST for VRF aaa :***
>>> >
>>> > * *
>>> >
>>> > R3(config)#*IP **NAT** inside source list 100 pool TST vrf aaa*
>>> >
>>> >
>>> >
>>> > *On R4*
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > R4(config)#*Int S0/1*
>>> >
>>> > R4(config-if)#*IP **NAT** Inside*
>>> >
>>> >
>>> >
>>> > R4(config)#*Int F0/1*
>>> >
>>> > R4(config-if)#*IP **NAT** Outside*
>>> >
>>> >
>>> >
>>> > R4(config)#*IP **NAT** inside source static 10.1.1.1 5.5.5.1 vrf bbb*
>>> >
>>> >
>>> >
>>> > R4(config)#*Access-list 100 permit ip 10.1.1.0 0.0.0.255 1.1.1.0
>>> 0.0.0.255
>>> > *
>>> >
>>> >
>>> >
>>> > R4(config)#*IP **NAT** Pool TST 5.5.5.2 5.5.5.5 prefix-length 24 type
>>> > match-host*
>>> >
>>> > * *
>>> >
>>> > R4(config)#*IP **NAT** Inside source list 100 pool TST vrf bbb*
>>> >
>>> >
>>> >
>>> > *To verify the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R3*
>>> >
>>> >
>>> >
>>> > R3#*Show ip nat translations vrf aaa*
>>> >
>>> >
>>> >
>>> > *Pro Inside global Inside local Outside local Outside
>>> > global*
>>>
>>> >
>>> > --- 1.1.1.1 10.1.1.1 --- ---
>>> >
>>> >
>>> >
>>> > *To test the configuration:*
>>> >
>>> > * *
>>> >
>>> > *On R1*
>>> >
>>> >
>>> >
>>> > R1#*Ping** 5.5.5.1 Source Lo0*
>>>
>>> >
>>> >
>>> >
>>> > Type escape sequence to abort.
>>> >
>>> > Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
>>> >
>>> > Packet sent with a source address of 10.1.1.1
>>> >
>>> > *!!!!!*
>>> >
>>> > *Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60
>>> ms*
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> > * *
>>> >
>>> > R3#*Show ip nat translation vrf aaa*
>>> >
>>> >
>>> >
>>> > *Pro Inside global Inside local Outside local Outside
>>> > global*
>>> >
>>> > icmp 1.1.1.1:0 10.1.1.1:0 5.5.5.1:0 5.5.5.1:0
>>>
>>> >
>>> > --- 1.1.1.1 10.1.1.1 --- ---
>>> >
>>> >
>>> >
>>> > R1#*Ping** 5.5.5.1 Source Lo4*
>>>
>>> >
>>> >
>>> >
>>> > Type escape sequence to abort.
>>> >
>>> >
>>> >
>>> > Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
>>> >
>>> > Packet sent with a source address of 10.1.1.2
>>> >
>>> > *!!!!!*
>>> >
>>> > *Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56
>>> ms*
>>> >
>>> >
>>> >
>>> > *On R3*
>>> >
>>> > * *
>>> >
>>> > R3#*Show ip nat translation vrf aaa*
>>> >
>>> >
>>> >
>>> > *Pro Inside global Inside local Outside local Outside
>>> > global*
>>> >
>>> > icmp 1.1.1.1:2 10.1.1.1:2 10.1.1.2:2
>>> 10.1.1.2:2
>>>
>>> >
>>> > --- 1.1.1.1 10.1.1.1 --- ---
>>> >
>>> > *icmp 1.1.1.5:1 10.1.1.5:1 5.5.5.5:1
>>> 5.5.5.5:1*
>>> >
>>> > *--- 1.1.1.5 10.1.1.5 --- ---***
>>> >
>>> >
>>> >
>>> > Have fun.
>>> >
>>> > **
>>> > **
>>> > **
>>> > **
>>> > **
>>> > **
>>> > **
>>> >
>>> > On Sun, Nov 20, 2011 at 6:06 PM, Bernard Steven
>>> <buny.steven_at_gmail.com>wrote:
>>>
>>> >
>>> >> Guys,
>>> >> Is there a way to do a nat between a vrf interface and traffic coming
>>> from
>>> >> an LDP enabled interface towards the core ?
>>> >> I am trying to NAT in a PE.One interface is towards a CE and the other
>>> >> interface is towards the P router.,
>>> >>
>>> >> The device does not support NVI , also vrf aware nat does not seem to
>>> >> help.
>>> >>
>>> >> My problem is it does not make sense to put an ip nat inside / outside
>>> >> statement in the interface towards the PE.
>>> >> Any thoughts ?
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > --
>>> > *Narbik Kocharians
>>> > *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>> > *www.MicronicsTraining.com* <http://www.micronicstraining.com/>
>>> > Sr. Technical Instructor
>>> > YES! We take Cisco Learning Credits!
>>> > Training & Remote Racks available
>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Problems arise because we talk,problems are not solved because we don't
>> talk So good or bad talk to your affectionate one's freely.
>>
>> Yours Friendly,
>> H P HEMANTH RAJ
>> CCIE#28593 (R&S)
>> Cisco Systems
>>
>>
>
>
> --
> *Narbik Kocharians
> *
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> *www.MicronicsTraining.com* <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 22 2011 - 11:02:35 ART
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART