Routing Internet Traffic Through a Separate NAT Device

In this example, the CE router does not perform NAT. It sends both VPN and Internet traffic over the same interface to the PE router. The PE router is connected to an NAT device by means of two interfaces. One interface is configured in the PE router’s VRF table and points to a VPN interface on the NAT device, which can route Internet traffic for the VPN. The other interface is in a default instance; for example, part of public routing table inet.0. There can be a single physical connection between the PE router and the NAT device and multiple logical connections—one for each VRF table and another interface—as part of the global routing table (see Figure 42).

Figure 42: Internet Traffic Routed Through a Separate NAT Device

Image g017206.gif

This example’s topology expands upon that illustrated in Routing VPN and Internet Traffic Through Different Interfaces. The CE router sends both VPN and Internet traffic to Router PE1. VPN traffic is routed based on the VPN routes received by Router PE1. Traffic for everything else is sent to the NAT device using Router PE1’s private interface to the NAT device, which then translates the private addresses and sends the traffic back to Router PE1 using that router’s public interface (see Figure 43).

Figure 43: Internet Traffic Routed Through a NAT Example Topology

Image g017196.gif

The following sections show how to route Internet traffic through a separate NAT device:

Configuring Interfaces on Router PE1

Configure an interface for VPN traffic to and from Router CE1, an interface for VPN traffic to and from the NAT device, and an interface for Internet traffic to and from the NAT device:

[edit]interfaces {t3-0/2/0 {dce;encapsulation frame-relay;unit 0 {description "to CE1 VPN interface";dlci 10;family inet {address 192.168.197.13/30;}}}at-1/3/1 {atm-options {vpi 1 maximum-vcs 255;}unit 0 {description "to NAT VPN interface";vci 1.100;family inet {address 10.23.0.2/32 {destination 10.23.0.1;}}}unit 1 {description "to NAT public interface";vci 1.101;family inet {address 10.23.0.6/32 {destination 10.23.0.5;}}}}}

Configuring Routing Options for Router PE1

Configure a static route on Router PE1 to direct Internet traffic to the CE router through the NAT device. Router PE1 distributes this route to the Internet.

[edit]routing-options {static {route 10.12.1.0/24 next-hop 10.23.0.5;}}

Configuring Routing Protocols on Router PE1

Configure MPLS, BGP, IS-IS, and LDP on Router PE1. For the MPLS configuration, include the NAT device’s VPN interface in the VRF table. As part of the BGP configuration, include a policy to advertise the public IP address pool:

[edit]protocols {mpls {interface t3-0/2/0.0;interface at-1/3/1.0;}bgp {group pe-pe {type internal;local-address 10.255.14.171;family inet {any;}family inet-vpn {any;}export [ fix-nh redist-static ];neighbor 10.255.14.177;neighbor 10.255.14.173;}}isis {level 1 disable;interface so-0/0/0.0;interface lo0.0;}ldp {interface so-0/0/0.0;}}

Configuring a Routing Instance for Router PE1

Configure a routing instance on Router PE1. As part of the routing instance configuration, under routing-options, configure a static default route in vpna.inet.0 pointing to the NAT device’s VPN interface (this directs all non-VPN traffic to the NAT device):

[edit]routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {peer-as 63001;neighbor 192.168.197.14;}}}}}policy-options {policy-statement fix-nh {then {next-hop self;}}policy-statement redist-static {term a {from {protocol static;route-filter 10.12.1.0/24 exact;}then accept;}term b {from protocol bgp;then accept;}term c {then accept;}}policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {then reject;}}community vpna-comm members target:63000:100;}

Traffic Routed by Separate NAT Device: Configuration Summarized by Router

Router PE1

Interfaces

interfaces {t3-0/2/0 {dce;encapsulation frame-relay;unit 0 {description "to CE1 VPN interface";dlci 10;family inet {address 192.168.197.13/30;}}}at-1/3/1 {atm-options {vpi 1 maximum-vcs 255;}unit 0 {description "to NAT VPN interface";vci 1.100;family inet {address 10.23.0.2/32 {destination 10.23.0.1;}}}unit 1 {description "to NAT public interface";vci 1.101;family inet {address 10.23.0.6/32 {destination 10.23.0.5;}}}}}

Routing Options

routing-options {static {route 10.12.1.0/24 next-hop 10.23.0.5;}}

Routing Protocols

protocols {mpls {interface t3-0/2/0.0;interface at-1/3/1.0;}bgp {group pe-pe {type internal;local-address 10.255.14.171;family inet {any;}family inet-vpn {any;}export [ fix-nh redist-static ];neighbor 10.255.14.177;neighbor 10.255.14.173;}}isis {level 1 disable;interface so-0/0/0.0;interface lo0.0;}ldp {interface so-0/0/0.0;}}

Routing Instance

routing-instances {vpna {instance-type vrf;interface t3-0/2/0.0;interface at-1/3/1.0;route-distinguisher 10.255.14.171:100;vrf-import vpna-import;vrf-export vpna-export;routing-options {static {route 0.0.0.0/0 next-hop 10.23.0.1;}}protocols {bgp {group to-CE1 {peer-as 63001;neighbor 192.168.197.14;}}}}}

Policy Options

policy-options {policy-statement fix-nh {then {next-hop self;}}policy-statement redist-static {term a {from {protocol static;route-filter 10.12.1.0/24 exact;}then accept;}term b {from protocol bgp;then accept;}term c {then accept;}}policy-statement vpna-import {term a {from {protocol bgp;community vpna-comm;}then accept;}term b {then reject;}}policy-statement vpna-export {term a {from protocol bgp;then {community add vpna-comm;accept;}}term b {then reject;}}community vpna-comm members target:63000:100;}