Thanks for the details you included with your question. I don’t have a complete solution for you, but I can suggest some ways of helping to troubleshoot the problem.
I guess the first question is, how is your topology failing? If I understood correctly, the path NY12 -->PE1–>IGW–>ISP is working correctly, right? But you want to introduce an additional alternate path in case the connection between PE1 and IGW fails, and you want to route traffic through the MPLS network to PE2 and then to IGW…
So in PE1, when the path to IGW fails, what do you see in the PE1 device? How is it failing for each of your attempted solutions? One of the things that is helpful to remember in your particular case is the order of operations for NAT. This will play a fundamental role in how and when routing is actually employed and will affect the behavior of your network.
If this were a production network, I would do as you suggest and redesign it so that you remove some of the complexity by using only VPNv4 all the way.
Let us know some more info and we’ll do our best to help you out.
Will this solution work in VRFs by adding the “vrf” keyword to the ip nat inside command or would you also need to use the match-in-vrf config as well? We need to deploy this solution using a single “external” VRF but it’s not clear to me whether we need to use match-in-vrf if we are NOT trying to use duplicate subnets in multiple VRFs.
The reason I’m asking about the match-in-vrf piece is because we’re trying to use interface overloading to set the NAT outside IP to the interface IP itself. However, when using match-in-vrf, one of the restrictions is that you cannot configure interface overloading and instead need to use another IP in the same subnet as the outside interface.
NAT, by default on most modern Cisco platforms, is VRF-aware. This means that NAT is able to translate between local addresses in multiple VRFs and global address spaces. When this is done, you must specify VRF that your particular NAT translation is taking place in. Because IP addresses of the inside hosts may overlap with each other, when they are translated using VRF-aware NAT, communication between these hosts can take place because overlapped inside IP addresses are translated to globally unique addresses. That describes how NAT operates simply with the vrf keyword.
Now what match-in-vrf does is it extends VRF-aware NAT by supporting intra-VPN NAT, which means NAT translations can take place between two hosts within the same VRF instance. So essentially, when you use the match-in-vrf keyword, you are translating between two address spaces within the same VRF.
Based on what you described in your post, you want to NAT translate between two different VRFs, therefore you won’t need the match-in-vrf keyword.
More info about this feature can be found here:
Note also that all NAT commands that support VRF support the match-in-vrf keyword. Because NAT outside rules such as the ip nat outside source command support the match-in-VRF functionality by default, the match-in-vrf keyword is not supported by NAT outside rules.
Thank you very much for this explanation. I previously read that document you provided on match-in-vrf but your explanation was much more clear than the document. We will proceed with configuring NAT with vrf-awareness but will forgo using the match-in-vrf, as all of our NAT communications will be occurring as we leave our network toward the internet.
lets say I ping 8.8.8.8, it works on both interfaces, however when I ping with a source
ping 8.8.8.8 source vlan 1 it doenst work, so there is a problem with nating
I have configured router for wan and cellular failover and everything seems to work fine, however becuase of these commands, it doenst work properly.
NAT(config)#ip nat inside source route-map ISP1 int fa 0/1 overload
NAT(config)#ip nat inside source route-map ISP2 int fa 1/0 overload
once you change it to a standard one ip nat inside source list 1 interface gi0/0 overload all is working fine, but I lost failover.
Hmm, that’s interesting. You say that you changed the source of the ping to VLAN 1, however, where is the switch in this case? Are you applying the NAT config to a layer 3 switch and attempting to ping from VLAN1? Please give us some more information about your particular toplogy, so that we can help you further.