Search This Blog

Thursday, May 9, 2019

HPE Comware MSR router source/destination VRF-aware NAT


In the following post I will show how to configure source and destination NAT with VRF-aware on HPE MSR router series.

I'm going to use the following topology:



Now let's define the goals – Let's say the we have an internal LAN (192.168.22.0/24) which need to reach some services/servers on remote network (192.168.12.0/24) and, for some reason, we can't install the remote network on our routing table in our LAN, and all of course with VRF-aware.

So here I'm using a virtual IP address 2.2.2.2/32, which will represent remote network server IP address (192.168.12.1 – SW12), so all clients from LAN network (192.168.22.1 – SW22) will be pointed to 2.2.2.2.

IP Address
NAT Translation
NAT Direction
2.2.2.2/32
192.168.12.1
Inbound
192.168.22.0/24
10.20.0.2
Outbound

So, whenever a client, from the internal LAN (192.168.22.0/24), will send packet to IP address 2.2.2.2, his source IP address will be translated to 10.20.0.2 (RTR2 WAN interface) and the destination will be translated to 192.168.12.1 (SW12).

And again, all configuration will be VRF-aware perspective.

RTR2 Basic Configuration:

 sysname RTR2
#
ip vpn-instance V20
 route-distinguisher 1:20
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet0/0.20
 ip binding vpn-instance V20
 ip address 10.20.0.2 255.255.255.252
 vlan-type dot1q vid 20
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip binding vpn-instance V20
 ip address 192.168.22.254 255.255.255.0
#
ip route-static vpn-instance V20 0.0.0.0 0 GigabitEthernet0/0.20 10.20.0.1

Here we will need to use inbound NAT in order to translate the destination IP address and outbound NAT in order to translate the source IP address.

Configure basic ACL for outbound NAT:

acl basic 2000
 rule 0 permit vpn-instance V20 source 192.168.22.0 0.0.0.255

Configure advanced ACL for inbound NAT:

acl advanced 3000
 rule 10 permit icmp vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0
 rule 15 permit ip vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0

Note that on advanced ACL we need to specify the protocol.

Next configure NAT address group:

nat address-group 1
 address 10.20.0.2 10.20.0.2

NAT address group is single or range of IP's that we set as NAT result (source or destination).

On interface GigabitEthernet0/0.20 (RTR2 WAN interface) we will configure the outbound NAT, where internal LAN IP address (192.168.22.0/24) will be translated to 10.20.0.2:

interface GigabitEthernet0/0.20
 ip binding vpn-instance V20
 ip address 10.20.0.2 255.255.255.252
 nat outbound 2000 address-group 1 vpn-instance V20
 vlan-type dot1q vid 20

On interface GigabitEthernet0/2 (RTR2 LAN interface) we will configure the inbound NAT, where internal remote IP address (2.2.2.2) will be translated to real outside remote IP address (192.168.12.1):

interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip binding vpn-instance V20
 ip address 192.168.22.254 255.255.255.0
 nat server global 3000 inside 192.168.12.1 vpn-instance V20

Each packet, with source IP address 192.168.22.0/24, which destinated to 2.2.2.2 (refer to ACL 3000 configuration) will be translated to 192.168.12.1.

Last step is to configure static route for the virtual IP address (2.2.2.2):

ip route-static vpn-instance V20 2.2.2.2 32 GigabitEthernet0/0.20 10.20.0.1

Sending ping, from SW22 to SW12 will have the following result:


This is a packet capture on RTR1 – interface GigabitEthernet0/0