Dynamic NAT-Inside-VRF Configuration

To configure dynamic NAT-inside-VRF for this discussion:

  1. On VRF Alpha-Group, configure interface VLAN 10, IP address 192.168.10.1/24 for IP NAT inside using the ip nat inside command in interface configuration mode. This assures that any packet from the IP subnet 192.168.10.1/24 will be considered for network address translation on this system.
  2. On VRF Internet-Access, configure interface VLAN 5, IP address 134.141.94.100/24 for IP NAT outside using the ip nat outside command in interface configuration mode. This assures that any packet egressing the system on any member of IP subnet 134.141.94.100/24 will be considered for network address translation.
  3. On VRF Internet-Access, configure a standard access-list named dynamic-nat with a permit host 192.168.10.15 entry.
  4. On VRF Internet-Access, configure an IP NAT pool named internet-out containing outside address range 134.141.94.121 to 134.141.94.129.
  5. On VRF Internet-Access, configure an IP NAT inside source list with the inside access-list dynamic-nat and outside address pool internet-out, specifying Alpha-Group as the inside VRF.

Packet A is received on VLAN 10, IP address 192.168.10.15. The VRF Alpha-Group routing table determines that 134.141.94.104 on VLAN 5 is the next hop for this route. Because the receive interface is configured for inside NAT and the destination interface is configured for outside NAT, the NAT process considers Packet A for network address translation.

The inside source list, configured in 5 above, assures that any packet being considered for network address translation, with an IP source address matching a dynamic-nat access-list permit clause, received on an interface configured for NAT inside, and belonging to VRF Alpha-Group, will be NATed. In this case, the IP source address will be changed to a dynamically selected address from NAT pool internet-out.

When Packet B from IP source address 66.249.81.104 is received on IP interface 134.141.94.100, because the receiving interface is configured as NAT outside, the interface is checked against NAT global addresses, and the IP destination for packet B is changed to its original source IP address: 192.168.10.15.

System(su)->router Alpha-Group
System(su-*ha-Group)->configure
System(su-*ha-Group-config)->interface vlan 10
System(su-*ha-Group-config-intf-vlan.0.10)->ip address 192.168.10.1/24
System(su-*ha-Group-config-intf-vlan.0.10)->ip nat inside
System(su-*ha-Group-config-intf-vlan.0.10)->exit
System(su-*ha-Group-config)->exit
System(su-*ha-Group)->exit
System(su)->router Internet-Access
System(su-*t-Access)->configure
System(su-*t-Access-config)->interface vlan 5
System(su-*t-Access-config-intf-vlan.0.5)->ip address 134.141.94.100/24
System(su-*t-Access-config-intf-vlan.0.5)->ip nat outside
System(su-*t-Access-config-intf-vlan.0.5)->exit
System(su-*t-Access-config)->ip access-list standard dynamic-nat
System(su-*t-Access-cfg-std-acl-dyna*-nat)->permit host 192.168.10.15
System(su-*t-Access-cfg-std-acl-dyna*-nat)->exit
System(su-*t-Access-config)->ip nat pool internet-out 134.141.94.121 134.141.94.129
System(su-*t-Access-config)->ip nat inside source list dynamic-nat pool internet-out inside-vrf Alpha-Group