MPLS NAT Aware Sample Configurations


Internet access is perhaps one of the most popular services that Service Providers offer their customers. Customers have flexibility to purchase MPLS VPN services Internet connectivity from separate Service Providers. Customers can alternatively offer Internet connectivity directly from their network may it be from one of their remote sites or the central site. In the latter case, the Internet Service Provider (ISP) does not need to distinguish customer’s Internet and VPN traffic, because all traffic traversing through a Service Provider network would be MPLS VPN traffic.

In MPLS based BGP-VPNs (RFC 2547),  ISPs offered customers an interface that was capable of carrying intranet and internet traffic.

Traffic between intranet and internet in a MPLS BGP-VPNs requires NAT Services at the customer edge router, between the customer private addresses and a globally routable address.

Traditional NAT operation can be summarized as follows:

  • NAT’s interfaces are classified as either inside or outside interfaces
  • Typically inside interface(s) connect to private address space and outside interface connect to global address space.
  • NAT occurs after routing for traffic from inside-to-outside interfaces.
  • NAT occurs before routing for traffic from outside-to-inside interfaces.
  • Routing information must be populated in the next-hop router for prefixes used in the NAT pool that is used for translation, for routing return traffic.


R3#conf ter
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip vrf 23
R3(config-vrf)#rd 23:23
R3(config-vrf)#route-t 23:23
R3(config-vrf)#ip vrf 13
R3(config-vrf)#rd 13:13
R3(config-vrf)#route-t 13:13
R3(config-vrf)#int s0/0
R3(config-if)#ip vrf for 13
R3(config-if)#ip add
R3(config-if)#ip nat inside
R3(config-if)#no sh
R3(config-if)#int s0/1
R3(config-if)#ip vrf for 23
R3(config-if)#ip add
R3(config-if)#ip nat inside
R3(config-if)#no sh
R3(config-if)#int s0/2
R3(config-if)#ip add
R3(config-if)#ip nat out
R3(config-if)#no sh
R3(config)#access-list 1 permit any
R3(config)#ip route vrf 13
R3(config)#ip route vrf 13 global
R3(config)#ip route vrf 23
R3(config)#ip route vrf 23 global
R3(config)#ip nat pool MYPOOL netmask
R3(config)#ip nat inside source list 1 pool MYPOOL vrf 13
R3(config)#ip nat inside source list 1 pool MYPOOL vrf 23

Inside to Outside packet flow:


NAT get hold of the packet, and does the translation (static or dynamic) and also stores the VRF table ID in the translation entry.

R3#show ip nat translations verbose
Pro Inside global      Inside local       Outside local      Outside global
create 00:00:10, use 00:00:00 timeout:60000, left 00:00:59, Map-Id(In): 2,
extended, use_count: 0, VRF : 23, entry-id: 3, lc_entries: 0
---          ---                ---
create 00:16:50, use 00:00:11 timeout:86400000, left 23:59:48, Map-Id(In): 2,
none, use_count: 1, VRF : 23, entry-id: 1, lc_entries: 0

Outside to Inside packet flow:


NAT receives the packet before routing and performs lookup on the translation table. NAT performs the reverse translation, and also sets the VRF table ID in the packet descriptor header. This enables the subsequent route lookup to occur on the right Forwarding Information Block (FIB). If the outgoing interface is in a VRF on the same PE, then the packet is forwarded as an IP packet. If the destination is on a remote PE, then the packet is imposed with labels and forwarded on the core facing interface.

A Networker Blog

3 thoughts on “MPLS NAT Aware Sample Configurations

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s