In the following post I will show how to configure
source and destination NAT with VRF-aware on HPE MSR router series.
I'm going to use the following topology:
Now let's define the goals – Let's say the we have an
internal LAN (192.168.22.0/24) which need to reach some services/servers on remote
network (192.168.12.0/24) and, for some reason, we can't install the remote
network on our routing table in our LAN, and all of course with VRF-aware.
So here I'm using a virtual IP address 2.2.2.2/32,
which will represent remote network server IP address (192.168.12.1 – SW12), so
all clients from LAN network (192.168.22.1 – SW22) will be pointed to 2.2.2.2.
|
IP Address
|
NAT Translation
|
NAT Direction
|
|
2.2.2.2/32
|
192.168.12.1
|
Inbound
|
|
192.168.22.0/24
|
10.20.0.2
|
Outbound
|
So, whenever a client, from the internal LAN
(192.168.22.0/24), will send packet to IP address 2.2.2.2, his source IP
address will be translated to 10.20.0.2 (RTR2 WAN interface) and the
destination will be translated to 192.168.12.1 (SW12).
And again, all configuration will be VRF-aware perspective.
RTR2 Basic Configuration:
|
sysname RTR2
#
ip
vpn-instance V20
route-distinguisher 1:20
#
interface
GigabitEthernet0/0
port link-mode route
combo enable copper
#
interface
GigabitEthernet0/0.20
ip binding vpn-instance V20
ip address 10.20.0.2 255.255.255.252
vlan-type dot1q vid 20
#
interface
GigabitEthernet0/2
port link-mode route
combo enable copper
ip binding vpn-instance V20
ip address 192.168.22.254 255.255.255.0
#
ip
route-static vpn-instance V20 0.0.0.0 0 GigabitEthernet0/0.20 10.20.0.1
|
Here we will need to use inbound NAT in order to
translate the destination IP address and outbound NAT in order to translate the
source IP address.
Configure basic ACL for outbound NAT:
|
acl
basic 2000
rule 0 permit vpn-instance V20 source
192.168.22.0 0.0.0.255
|
Configure advanced ACL for inbound NAT:
|
acl
advanced 3000
rule 10 permit icmp vpn-instance V20 source
192.168.22.0 0.0.0.255 destination 2.2.2.2 0
rule 15 permit ip vpn-instance V20 source
192.168.22.0 0.0.0.255 destination 2.2.2.2 0
|
Note that on advanced ACL we need to specify the
protocol.
Next configure NAT address group:
|
nat
address-group 1
address 10.20.0.2 10.20.0.2
|
NAT address group is single or range of IP's that we
set as NAT result (source or destination).
On interface GigabitEthernet0/0.20 (RTR2 WAN
interface) we will configure the outbound NAT, where internal LAN IP address
(192.168.22.0/24) will be translated to 10.20.0.2:
|
interface
GigabitEthernet0/0.20
ip binding vpn-instance V20
ip address 10.20.0.2 255.255.255.252
nat outbound 2000 address-group 1 vpn-instance V20
vlan-type dot1q vid 20
|
On interface GigabitEthernet0/2 (RTR2 LAN interface)
we will configure the inbound NAT, where internal remote IP address (2.2.2.2)
will be translated to real outside remote IP address (192.168.12.1):
|
interface
GigabitEthernet0/2
port link-mode route
combo enable copper
ip binding vpn-instance V20
ip address 192.168.22.254 255.255.255.0
nat server global 3000 inside 192.168.12.1 vpn-instance V20
|
Each packet, with source IP address 192.168.22.0/24,
which destinated to 2.2.2.2 (refer to ACL 3000 configuration) will be
translated to 192.168.12.1.
Last step is to configure static route for the
virtual IP address (2.2.2.2):
|
ip
route-static vpn-instance V20 2.2.2.2 32 GigabitEthernet0/0.20 10.20.0.1
|
Sending ping, from SW22 to SW12 will have the
following result:
This is a packet capture on RTR1 – interface GigabitEthernet0/0
No comments:
Post a Comment