Symptom
Static NAT doesn't work from the outside
Conditions
route-map, reversible and VRF are used.
Workaround
Remove reversible or the route-map, but that would mean that filtering is not applied at the out-to-in direction
Further Problem Description
ip nat inside source static 10.1.X.X XXX.XX.31.31 vrf WAN route-map NAT reversible match-in-vrf
ip nat inside source static 10.1.X.X XXX.XX.31.32 vrf WAN route-map NAT reversible match-in-vrf
interface GigabitEthernet0/0/0
ip vrf forwarding WAN
ip address XXX.XX.31.1 255.255.255.0
ip nat outside
end
interface GigabitEthernet0/0/3
ip vrf forwarding WAN
ip address XX.X.1.50 255.255.255.0
ip nat inside
end
ASR1001-HX#sh access-list
Extended IP access list NAT
10 permit ip host 10.X.X.X 8.8.8.0 0.0.0.255
20 permit ip host 10.X.X.X 1.1.1.0 0.0.0.255
30 permit ip host 10.X.X.X 8.8.8.0 0.0.0.255
40 permit ip host 10.X.X.X.1.1.0 0.0.0.255
ASR1001-HX#sh route-map
route-map NAT, permit, sequence 10
Match clauses:
ip address (access-lists): NAT
Set clauses:
Policy routing matches: 0 packets, 0 bytes
* When we ping from the neighboring device located behind the outside interface (permitted in the route-map) the NAT fails
ASR1006-1#ping XXX.XXX.31.31 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXX.XX.31.31, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.1
.....
Success rate is 0 percent (0/5)
* As soon as we remove just "reversible" or the route-map we can ping from the outside successfully:
ASR1006-1#ping XXX.XX.31.31 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXX.XX.31.31, timeout is 2 seconds:
Packet sent with a source address of 8.8.8.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
