The IOS XE has a limitation for the NAT between VRF. NAT NVI is used between vrf only in IOS, however for IOS XE platform this feature is not supported.
VASI usually used not only for NAT, you can use this feature for IPsec, firewall and other traffic flow control events. This is implemented by pairs. Virtual “VASI”-Interface is the next-hop for any pakcet that needs to be switched between VRFs. On the main image presented only one device with two VRFs: Default(grey) and INET(red). When packet flows through Router it goes on the following route:
- Enters to physical interface in Vrf INET.
- Choosing vasiright interface as the next hop by RIB+decrements TTL value.
- Packet which was sent to egress of vasiright automatically sentto ingress of vasileft path.
- Vrf Default forwards packet to physical interface.
routing config: ! ip route 188.8.131.52 255.255.255.255 vasileft1 184.108.40.206 (in my case it's only one Laptop which can get access to local web server, for everyone it should be 0/0) ip route vrf Vrf-INET 220.127.116.11 255.255.255.255 vasiright1 18.104.22.168 NAT config: ip nat inside source static tcp 22.214.171.124 443 126.96.36.199 443 vrf Vrf-INET extendable interfaces config: ! interface vasileft1 ip address 188.8.131.52 255.255.255.255 no keepalive end ! interface vasiright1 vrf forwarding Vrf-INET ip address 184.108.40.206 255.255.255.255 ip nat inside no keepalive end ! interface GigabitEthernet0/0/2 description ISP bandwidth 100000 vrf forwarding Vrf-INET ip address 220.127.116.11 255.255.255.0 ip nat outside end !