- Configuring NAT for IP Address Conservation
- Using Application-Level Gateways with NAT
- MSRPC ALG Support for Firewall and NAT
- Configuring NAT for High Availability
- Integrating NAT with MPLS VPNs
- Monitoring and Maintaining NAT
- Configuring Stateful Interchassis Redundancy
- Stateless Network Address Translation 64
- Stateful Network Address Translation 64
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- IP Multicast Dynamic NAT
- Match-in-VRF Support for NAT
Match-in-VRF Support for NAT
The Match-in-VRF Support for NAT feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-VPN NAT, both the local and global address spaces for end hosts are isolated to their respective VPNs, and as a result, the translated addresses for the hosts overlap each other. The Match-in-VRF Support for NAT feature helps separate the address space for translated addresses among VPNs.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Match-in-VRF Support for NAT
The Match-in-VRF Support for NAT feature is not supported on interface overload configuration.
Information About Match-in-VRF Support for NAT
Match-in-VRF Support for NAT
In Cisco IOS XE Release 3.5S and later releases, the Match-in-VRF Support for NAT feature supports NAT of packets that communicate between two hosts within the same VPN.
The VRF-aware NAT enables communication between hosts in the private address space in different VPN routing and forwarding (VRF) instances and common servers in the Internet or the global domain. Because IP addresses of the inside hosts overlap with each other, the VRF-aware NAT facilitates communication between these hosts by converting overlapped inside IP addresses into globally unique addresses. The Match-in-VRF Support for NAT feature extends VRF-aware NAT by supporting intra-VPN NAT capability. In the intra-VPN NAT, both the local and global address spaces for end hosts are isolated to their respective VPNs, and as a result translated addresses for hosts overlap each other. To separate the address space for translated addresses among VPNs, configure the match-in-vrf keyword in the NAT mapping (ip nat inside source command) configuration. Both static and dynamic NAT configurations support the match-in-vrf keyword.
 Note |
All NAT commands that support VRF support the match-in-vrf keyword. Because NAT outside rules (ip nat outside source command) support the match-in-VRF functionality by default, the match-in-vrf keyword is not supported by NAT outside rules. |
In VRF-aware NAT, the IP alias and Address Resolution Protocol (ARP) entries for inside global addresses are configured in the global domain. For intra-VPN NAT, the IP alias and ARP entries for inside global addresses are configured in the VRF through which the translation happens. In intra-VPN NAT, configuration of the match-in-vrf keyword implies that at least one NAT outside interface is configured in the same VRF. The ARP entry in that VRF replies to the ARP request from the outside host.
If inside addresses are configured, the match-in-VRF is determined through inside mappings during the address translation of VRF traffic. If you have configured only outside mapping of IP addresses for address translations, the match-in-VRF will work. When a translation entry is created with both inside and outside mappings, the match-in-vrf keyword is determined by the inside mapping.
The Match-in-VRF Support for NAT feature supports the configuration of multiple dynamic mappings with the same IP address pool.
How to Configure Match-in-VRF Support for NAT
Configuring Static NAT with Match-in-VRF
Perform the following task to configure a static NAT translation and to enable NAT inside and outside traffic in the same VRF.
DETAILED STEPS
Configuring Dynamic NAT with Match-in-VRF
Perform the following task to configure a dynamic NAT translation with the same address pool and to enable NAT inside and outside traffic in the same VRF.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
|
Example: Router(config)# ip nat inside source list 1 pool shared-pool vrf vrf1 match-in-vrf |
|
||
|
|
Example: Router(config)# access-list 1 permit 192.168.34.0 0.0.0.255 |
Defines a standard access list permitting those addresses that are to be translated. |
||
|
|
Example: Router(config)# ip nat inside source list 1 pool shared-pool vrf vpn1 |
Establishes dynamic source translation, specifying the access list defined in the previous step. |
||
|
|
Example: Router(config)# interface gigabitethernet 0/0/1 |
Specifies an interface and enters interface configuration mode. |
||
|
|
Example: Router(config-if)# ip address 172.31.232.182 255.255.255.240 |
Sets a primary IP address for an interface. |
||
|
|
Example: Router(config-if)# ip nat inside |
Marks the interface as connected to the inside. |
||
|
|
Example: Router(config-if)# ip vrf forwarding vpn1 |
Associates a VRF with an interface or subinterface. |
||
|
|
Example: Router(config-if)# exit |
Exits interface configuration mode and returns to global configuration mode. |
||
|
|
Example: Router(config)# interface gigabitethernet 0/0/0 |
Specifies a different interface and enters interface configuration mode. |
||
|
|
Example: Router(config-if)# ip address 172.31.232.182 255.255.255.240 |
Sets a primary IP address for an interface. |
||
|
|
Example: Router(config-if)# ip nat outside |
Marks the interface as connected to the outside.
|
||
|
|
Example: Router(config-if)# ip vrf forwarding vpn1 |
Associates a VRF with an interface or subinterface. |
||
|
|
Example: Router(config-if)# end |
Exits interface configuration mode and returns to global configuration mode. |
Configuration Examples for Match-in-VRF Support for NAT
- Example: Configuring Static NAT with Match-in-VRF
- Example: Configuring Dynamic NAT with Match-in-VRF
Example: Configuring Static NAT with Match-in-VRF
The following example shows how to configure a static NAT translation between the local IP address 10.10.10.1 and the global IP address 172.16.131.1. The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
Router# configure terminal Router(config)# ip nat inside source static 10.10.10.1 172.16.131.1 vrf vrf1 match-in-vrf Router(config)# interface gigabitethernet 0/0/1 Router(config-if)# ip address 10.114.11.39 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# ip vrf forwarding vrf1 Router(config-if)# exit Router(config)# interface gigabitethernet 0/0/0 Router(config-if)# ip address 172.31.232.182 255.255.255.240 Router(config-if)# ip nat outside Router(config-if)# ip vrf forwarding vrf1 Router(config-if)# end
Example: Configuring Dynamic NAT with Match-in-VRF
The following example shows how to configure dynamic NAT mappings with the same address pool. The match-in-vrf keyword enables NAT inside and outside traffic in the same VRF.
Router# configure terminal Router(config)# ip nat inside source list 1 pool shared-pool vrf vrf1 match-in-vrf Router(config)# access-list 1 permit 192.168.34.0 0.0.0.255 Router(config)# ip nat inside source list 1 pool shared-pool vrf vpn1 Router(config)# interface gigabitethernet 0/0/1 Router(config-if)# ip address 172.31.232.182 255.255.255.240 Router(config-if)# ip nat inside Router(config-if)# ip vrf forwarding vpn1 Router(config-if)# exit Router(config)# interface gigabitethernet 0/0/0 Router(config-if)# ip address 172.31.232.182 255.255.255.240 Router(config-if)# ip nat outside Router(config-if)# ip vrf forwarding vpn1 Router(config-if)# end
Additional References
Related Documents
| Related Topic | Document Title |
|---|---|
| Cisco IOS commands |
|
| NAT commands |
|
| NAT for IP Address Conservation |
Standards and RFCs
| Standard/RFC | Title |
|---|---|
| No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
| MIB | MIBs Link |
|---|---|
| No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
| Description | Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Match-in-VRF Support for NAT
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for Match-in-VRF Support for NAT |
| Feature Name | Releases | Feature Information |
|---|---|---|
| Match-in-VRF Support for NAT |
Cisco IOS XE Release 3.5S |
The Match-in-VRF Support for NAT feature supports the NAT translation of packets that communicate between two hosts within the same VPN. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback