The IOS XE has a limitation for the NAT between VRF. NAT NVI is used between vrf only in IOS, however for IOS XE platform this feature is not supported.
VASI usually used not only for NAT, you can use this feature for IPsec, firewall and other traffic flow control events. This is implemented by pairs. Virtual “VASI”-Interface is the next-hop for any pakcet that needs to be switched between VRFs. On the main image presented only one device with two VRFs: Default(grey) and INET(red). When packet flows through Router it goes on the following route:
- Enters to physical interface in Vrf INET.
- Choosing vasiright interface as the next hop by RIB+decrements TTL value.
- Packet which was sent to egress of vasiright automatically sentto ingress of vasileft path.
- Vrf Default forwards packet to physical interface.
routing config: ! ip route 220.127.116.11 255.255.255.255 vasileft1 18.104.22.168 (in my case it's only one Laptop which can get access to local web server, for everyone it should be 0/0) ip route vrf Vrf-INET 22.214.171.124 255.255.255.255 vasiright1 126.96.36.199 NAT config: ip nat inside source static tcp 188.8.131.52 443 184.108.40.206 443 vrf Vrf-INET extendable interfaces config: ! interface vasileft1 ip address 220.127.116.11 255.255.255.255 no keepalive end ! interface vasiright1 vrf forwarding Vrf-INET ip address 18.104.22.168 255.255.255.255 ip nat inside no keepalive end ! interface GigabitEthernet0/0/2 description ISP bandwidth 100000 vrf forwarding Vrf-INET ip address 22.214.171.124 255.255.255.0 ip nat outside end !