VRF-Aware Software Infrastructure (VASI) NAT on IOS-XE for publishing local Web-server

The IOS XE has a limitation for the NAT between VRF. NAT NVI is used between vrf only in IOS, however for IOS XE platform this feature is not supported.

VASI usually used not only for NAT, you can use this feature for IPsec, firewall and other traffic flow control events. This is implemented by pairs. Virtual “VASI”-Interface is the next-hop for any pakcet that needs to be switched between VRFs. On the main image presented only one device with two VRFs: Default(grey) and INET(red). When packet flows through Router it goes on the following route:

  1. Enters to physical interface in Vrf INET.
  2. Choosing vasiright interface as the next hop by RIB+decrements TTL value.
  3. Packet which was sent to egress of vasiright automatically sentto ingress of vasileft path.
  4. Vrf Default forwards packet to physical interface.
routing config:
!
ip route 1.1.1.2 255.255.255.255 vasileft1 2.2.2.2 (in my case it's only one Laptop which can get access to local web server, for everyone it should be 0/0)
 ip route vrf Vrf-INET 4.4.4.5 255.255.255.255 vasiright1 3.3.3.3
 
NAT config:
ip nat inside source static tcp 4.4.4.5 443 1.1.1.1 443 vrf Vrf-INET extendable


interfaces config:
!
 interface vasileft1
 ip address 3.3.3.3 255.255.255.255
 no keepalive
 end

!
 interface vasiright1
 vrf forwarding Vrf-INET
 ip address 2.2.2.2 255.255.255.255
 ip nat inside
 no keepalive
 end

!
interface GigabitEthernet0/0/2
 description ISP
 bandwidth 100000
 vrf forwarding Vrf-INET
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
end
!

Leave a Reply

Your email address will not be published. Required fields are marked *