The IOS XE has a limitation for the NAT between VRF. NAT NVI is used between vrf only in IOS, however for IOS XE platform this feature is not supported.
VASI usually used not only for NAT, you can use this feature for IPsec, firewall and other traffic flow control events. This is implemented by pairs. Virtual “VASI”-Interface is the next-hop for any pakcet that needs to be switched between VRFs. On the main image presented only one device with two VRFs: Default(grey) and INET(red). When packet flows through Router it goes on the following route:
- Enters to physical interface in Vrf INET.
- Choosing vasiright interface as the next hop by RIB+decrements TTL value.
- Packet which was sent to egress of vasiright automatically sentto ingress of vasileft path.
- Vrf Default forwards packet to physical interface.
routing config: ! ip route 126.96.36.199 255.255.255.255 vasileft1 188.8.131.52 (in my case it's only one Laptop which can get access to local web server, for everyone it should be 0/0) ip route vrf Vrf-INET 184.108.40.206 255.255.255.255 vasiright1 220.127.116.11 NAT config: ip nat inside source static tcp 18.104.22.168 443 22.214.171.124 443 vrf Vrf-INET extendable interfaces config: ! interface vasileft1 ip address 126.96.36.199 255.255.255.255 no keepalive end ! interface vasiright1 vrf forwarding Vrf-INET ip address 188.8.131.52 255.255.255.255 ip nat inside no keepalive end ! interface GigabitEthernet0/0/2 description ISP bandwidth 100000 vrf forwarding Vrf-INET ip address 184.108.40.206 255.255.255.0 ip nat outside end !