I would like to forward SSH from my cable modem interface to an internal box in a different VRF, but this for some reason is only possible using static IP addresses. The global IP address in the NAT statement must be a static one to be able to also include a VRF reference.
This is what I would like to add:
ip nat source static tcp 10.0.0.11 22 interface Vlan6 22 vrf private extendable
However, neither “vrf” nor “extendable” is allowed after “interface” has been entered.
Yet, if Vlan6 has the IP address 192.0.2.123 from DHCP, I can add the following static NAT entry and it works as one would expect:
ip nat source static tcp 10.0.0.11 22 192.0.2.123 22 vrf private extendable
I don’t see why it wouldn’t be possible to add the VRF to an entry that uses an interface reference for the global IP address.
I’ve picked hopefully all the relevant parts of the configuration for anyone wanting to form a better picture of the setup where the above fits in. The setup has two Internet connections: cable and DSL. The DSL connection (ATM0.1) has a server network (Vlan2) routed over it. The private network (Vlan3) uses the cable connection (Vlan6) for accessing the Internet, except for the server network (for fast local access).
! +----------+
! Cable | | DSL
! Vlan6 >---+ ROUTER +---< ATM0.1
! DHCP | | 198.51.100.2/30
! +--+----+--+
! | |
! | |
! ~~~~~~~~~~+ +~~~~~~~~~~
! Private Servers
! Vlan3 Vlan2
! 10.0.0.1/24 203.0.113.1/24
vrf definition cable
rd 65111:60
route-target export 65111:30
route-target import 65111:60
!
address-family ipv4
exit-address-family
!
vrf definition dsl
rd 65111:20
route-target export 65111:30
route-target import 65111:20
!
address-family ipv4
exit-address-family
!
vrf definition private
rd 65111:30
route-target export 65111:20
route-target export 65111:60
route-target import 65111:30
!
address-family ipv4
exit-address-family
!
interface Loopback0
vrf forwarding private
ip address 10.0.255.1 255.255.255.255
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
mtu 1500
vrf forwarding dsl
ip address 198.51.100.2 255.255.255.252
atm route-bridged ip
pvc 0/33
encapsulation aal5snap
!
!
ip route vrf dsl 0.0.0.0 0.0.0.0 198.51.100.1
interface Vlan2
vrf forwarding dsl
ip address 203.0.113.1 255.255.255.0
!
interface Vlan3
vrf forwarding private
ip address 10.0.0.1 255.255.255.0
ip nat enable
!
interface Vlan6
vrf forwarding cable
ip address dhcp
ip nat enable
!
ip access-list standard nat-private
permit 10.0.0.0 0.255.255.255
!
route-map nat-cable permit 10
match ip address nat-private
match interface Vlan6
!
ip nat source route-map nat-cable interface Vlan6 vrf private overload
router bgp 65111
bgp router-id 10.0.255.1
bgp log-neighbor-changes
!
address-family ipv4 vrf cable
redistribute connected
redistribute static
default-information originate
exit-address-family
!
address-family ipv4 vrf dsl
network 203.0.113.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf private
network 10.0.0.0 mask 255.255.255.0
network 10.0.255.1 mask 255.255.255.255
exit-address-family
!