Static NAT-Inside-VRF Configuration

To configure static NAT-inside-VRF for this discussion:

1. On VRF Alpha-Group, configure interface VLAN 10, IP address 192.168.10.1/24 for IP NAT inside using the ip nat inside command in interface configuration mode. This assures that any packet with a source IP addressteps of 192.168.10.1/24 will be considered for network address translation on this system.
2. On VRF Internet-Access, configure interface VLAN 5, IP address 134.141.94.100/24 for IP NAT outside using the ip nat outside command in interface configuration mode. This assures that any packet egressing the system on IP subnet 134.141.94.100/24 will be considered for network address translation.
3. On VRF Internet-Access, configure the NAT static rule specifying 192.168.10.15 (VLAN 10) as the inside source address and 134.141.94.1 (VLAN 5) as the outside source address, and VRF Alpha-Group as the inside VRF. This assures that any packet that has been considered for network address translation, with an IP source address of 192.168.10.15 on an interface configured for NAT inside, and belongs to VRF Alpha-Group will be NATed. The IP source address will be changed to 134.141.94.110.

Packet A is received on VLAN 10, IP address 192.168.10.15. The VRF Alpha-Group routing table determines that 134.141.94.110 on VLAN 5 is the next hop for this route. Because the receive interface is configured for inside NAT and the destination interface is configured for outside NAT, the NAT process considers Packet A for network address translation.

The static rule “ip nat inside source static 192.168.10.15 134.141.94.110 inside-vrf Alpha-Group” results in the source address for Packet A being changed from 192.168.10.15 to 134.141.94.110 and is routed to the next hop router out interface VLAN 5.

When Packet B from IP source address 66.249.81.104 is received on IP interface 134.141.94.100, because the receiving interface is configured as NAT outside, the interface is checked against NAT global addresses, and the IP destination for packet B is changed to its original source IP address: 192.168.10.15.

System(su)->router Alpha-Group
System(su-*ha-Group)->configure
System(su-*ha-Group-config)->interface vlan 10
System(su-*ha-Group-config-intf-vlan.0.10)->ip address 192.168.10.1/24
System(su-*ha-Group-config-intf-vlan.0.10)->ip nat inside
System(su-*ha-Group-config-intf-vlan.0.10)->exit
System(su-*ha-Group-config)->exit
System(su-*ha-Group)->exit
System(su)->router Internet-Access
System(su-*t-Access)->configure
System(su-*t-Access-config)->interface vlan 5
System(su-*t-Access-config-intf-vlan.0.5)->ip address 134.141.94.100/24
System(su-*t-Access-config-intf-vlan.0.5)->ip nat outside
System(su-*t-Access-config-intf-vlan.0.5)->exit
System(su-*t-Access-config)->ip nat inside source static 192.168.10.15 134.141.94.110 inside-vrf Alpha-Group