NAT with two outside interfaces

Hello Sing

Thanks for the details you included with your question. I don’t have a complete solution for you, but I can suggest some ways of helping to troubleshoot the problem.

I guess the first question is, how is your topology failing? If I understood correctly, the path NY12 -->PE1–>IGW–>ISP is working correctly, right? But you want to introduce an additional alternate path in case the connection between PE1 and IGW fails, and you want to route traffic through the MPLS network to PE2 and then to IGW…

So in PE1, when the path to IGW fails, what do you see in the PE1 device? How is it failing for each of your attempted solutions? One of the things that is helpful to remember in your particular case is the order of operations for NAT. This will play a fundamental role in how and when routing is actually employed and will affect the behavior of your network.

If this were a production network, I would do as you suggest and redesign it so that you remove some of the complexity by using only VPNv4 all the way.

Let us know some more info and we’ll do our best to help you out.

I hope this has been helpful!


Will this solution work in VRFs by adding the “vrf” keyword to the ip nat inside command or would you also need to use the match-in-vrf config as well? We need to deploy this solution using a single “external” VRF but it’s not clear to me whether we need to use match-in-vrf if we are NOT trying to use duplicate subnets in multiple VRFs.

The reason I’m asking about the match-in-vrf piece is because we’re trying to use interface overloading to set the NAT outside IP to the interface IP itself. However, when using match-in-vrf, one of the restrictions is that you cannot configure interface overloading and instead need to use another IP in the same subnet as the outside interface.

Hello William

NAT, by default on most modern Cisco platforms, is VRF-aware. This means that NAT is able to translate between local addresses in multiple VRFs and global address spaces. When this is done, you must specify VRF that your particular NAT translation is taking place in. Because IP addresses of the inside hosts may overlap with each other, when they are translated using VRF-aware NAT, communication between these hosts can take place because overlapped inside IP addresses are translated to globally unique addresses. That describes how NAT operates simply with the vrf keyword.

Now what match-in-vrf does is it extends VRF-aware NAT by supporting intra-VPN NAT, which means NAT translations can take place between two hosts within the same VRF instance. So essentially, when you use the match-in-vrf keyword, you are translating between two address spaces within the same VRF.

Based on what you described in your post, you want to NAT translate between two different VRFs, therefore you won’t need the match-in-vrf keyword.

More info about this feature can be found here:

Note also that all NAT commands that support VRF support the match-in-vrf keyword. Because NAT outside rules such as the ip nat outside source command support the match-in-VRF functionality by default, the match-in-vrf keyword is not supported by NAT outside rules.

I hope this has been helpful!


Thank you very much for this explanation. I previously read that document you provided on match-in-vrf but your explanation was much more clear than the document. We will proceed with configuring NAT with vrf-awareness but will forgo using the match-in-vrf, as all of our NAT communications will be occurring as we leave our network toward the internet.

Thanks again.

1 Like

lets say I ping, it works on both interfaces, however when I ping with a source
ping source vlan 1 it doenst work, so there is a problem with nating

I have configured router for wan and cellular failover and everything seems to work fine, however becuase of these commands, it doenst work properly.

NAT(config)#ip nat inside source route-map ISP1 int fa 0/1 overload  
NAT(config)#ip nat inside source route-map ISP2 int fa 1/0 overload 

once you change it to a standard one
ip nat inside source list 1 interface gi0/0 overload all is working fine, but I lost failover.

is there a way to make it work ?

Hello Maksym

Hmm, that’s interesting. You say that you changed the source of the ping to VLAN 1, however, where is the switch in this case? Are you applying the NAT config to a layer 3 switch and attempting to ping from VLAN1? Please give us some more information about your particular toplogy, so that we can help you further.

I hope this has been helpful!


There is no switch. just a router
just using the local vlan1(the only vlan configured on the router)
also PCs that are directly connected to the router cannot browse the internet

Hello Maksym

Based on your description, it looks like you have a good approach to the requirements, however, you should keep the following in mind:

  1. From my understanding, you want all traffic to go out the WAN connection, and the cellular connection should only be used as a backup, right? If that is the case, then you will need a mechanism to do this switchover whenever a failure in the WAN is detected. This can be achieved using an IP SLA similar to the following lesson:
  1. Even with the IP SLA, since you are using NAT you must configure NAT for two external interfaces, as you have done. In order to determine the possible problems in your config, we would need to see more of your configuration and your topology including the route maps as well as any ACLs you’ve configured, and the internal subnets that are being translated. You may also find it helpful to issue some of the debug commands as shown in the lesson to see if the problem is due to translation.

Just one more note concerning our conversation. Routers don’t have VLANs, but switches do. That’s why when you mentioned VLAN1, I assumed a switch was involved. The only situation in which you may have VLANs configured is in a “router on a stick” topology, and even then, you’re not really creating VLANs, but just subinterfaces on different subnets.

Let us know some more info so we can help you further in your troubleshooting.

I hope this has been helpful!