3 Replies Latest reply: Mar 8, 2018 10:23 PM by raymond RSS

    question about Network Address Translation (NAT) in a VRF

    Jonathan

      I have a couple of questions about static NAT.

       

      Firstly, what happens when you have 2 static NAT entries for the same private LAN IP in the same VRF?

      Reason that I ask is when I tried to configure a NAT entry in one 2911 router [running IOS 15.2(4)M11] for a private IP that already has another NAT entry in the same VRF, then it gives me a warning message, something like, for example,

      Router1(config)#ip nat inside source static 10.1.1.2 203.0.113.2 vrf myVRF

      % 10.1.1.2 already mapped (10.1.1.2 -> 192.0.2.2)

      And then the new entry is not present in the configuration, only the prior one.

      Router1#sho run | sec 10.1.1.2

      ip nat inside source static 10.1.1.2 192.0.2.2 vrf myVRF

       

      But, then I looked on another 2911 router [running 15.2(4)M3] and it already has a duplicate NAT configuration; something like this:

      Router2#sho run | sec 10.2.2.2

      ip nat inside source static 10.2.2.2 203.0.113.130 vrf yourVRF

      ip nat inside source static 10.2.2.2 203.0.113.131 vrf yourVRF

       

      Why does it even let the duplicate NAT entry exist on one router, but not the other?  I already checked the release notes and it doesn't say anything about it being a bug that's fixed between these 2 versions.

       

      My second question is more fundamental; what does a router do when you NAT an IP to itself?

      Router(config)#ip nat inside source static 172.22.2.2 172.22.2.2 vrf thisVRF

      What does the router do to the packets arriving on the outside interface with destination 172.22.2.2? Does this command cause it to route the packets into thisVRF?  If so, why ip nat and not an ip route command?  And what does the router do to the packets arriving on the inside interface sourced from this IP?  Does this just cause the packet to be sent out the interface with "ip nat outside"?  And again, if that is the case, what's the difference between the single ip nat statement and a pair of ip route statements?

       

      Thanks,

      Jonathan

        • 1. Re: question about Network Address Translation (NAT) in a VRF
          raymond

          Hi Jonathan

           

          I haven't checked, but it sounds like that may be a bug as i have tried this on a couple of different router models and IOS versions and i get the same response each time

           

          R1(config)#ip nat inside source static 10.1.1.2 203.0.113.2 vrf myVRF

          R1(config)#ip nat inside source static 10.1.1.2 203.0.113.2 vrf myVRF

          *Mar  8 15:41:28.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

          R1(config)#ip nat inside source static 10.1.1.2 192.0.2.2 vrf myVRF

          % 10.1.1.2 already mapped (10.1.1.2 -> 203.0.113.2)

           

          The output of your Router1 i by the looks of my testing is the correct output.

           

          Cheers

          • 2. Re: question about Network Address Translation (NAT) in a VRF
            Jonathan

            Thanks.  Interesting that in your example you actually attempt to re-issue the same command rather than map 1 inside IP to 2 different outside IPs, and it still gives the error message.

             

            Any insight about my second question?  What does it mean when you NAT an IP to itself on a VRF router, and why would you want to do it?

            • 3. Re: question about Network Address Translation (NAT) in a VRF
              raymond

              Hi Jonathan

               

              Apologies, i pasted the wrong one

               

              R1(config)#ip nat inside source static 10.1.1.2 203.0.113.2 vrf myVRF

              R1(config)#ip nat inside source static 10.1.1.2 203.0.113.3 vrf myVRF

              % 10.1.1.2 already mapped (10.1.1.2 -> 203.0.113.2)

               

              As for your second question, im not sure, do you have a scenario where you have seen this? or would do this? why would you need to NAT to the router itself?

               

              Cheers