Scenario:

We have 2 VRF's INTERNET and INTERNAL

NAT VASI left, and NAT VASI right are configured for this ISR 4K. We are forcing Internet traffic through the VASI left and into VASI right (ip nat inside) and out our public interface G0/0/1.

I am using a NAT pool with the G0/0/1 interface IP. This is required for NAT VASI.

What I am seeing is hosts are unable to access the Internet at all if I use the Interface IP in the nat pool. However if I use a different IP address in the range of the /29 for the NAT pool, everything works fine.

Attached are the platform debug packet capture showing the difference between the two, one with Interface pool IP and one with a separate IP for the pool. From what I can tell its hitting the OUTSIDE-TO-SELF policy class default and dropping traffic. Need help sorting this one out. I want to be able to use the interface IP in the pool due to public IP restrictions for some of our customers. Some only are able to get a /30. Having to burn another public IP for a pool IP puts us in a bad spot.

-------------OUTPUT of router config for reference-------------

---------------------VRF info--------------------

r2-customer#sh vrf
Name Default RD Protocols Interfaces
CDK 64995:2470 ipv4 Gi0/0/0.1
vl1
INTERNET 100:1 ipv4,ipv6 Gi0/0/1
vr1

------------ZBF---------------------------------------

r2-customer#sh zone security
zone self
Description: System defined zone

zone INSIDE
Member Interfaces:
GigabitEthernet0/0/0.1
vasileft1

zone OUTSIDE
Member Interfaces:
GigabitEthernet0/0/1
vasiright1

r2-customer#sh zone-pair security

Zone-pair name IN-TO-OUT
Source-Zone INSIDE Destination-Zone OUTSIDE
service-policy IN-TO-OUT-PMAP

Zone-pair name OUTSIDE-TO-SELF
Source-Zone OUTSIDE Destination-Zone self
service-policy TO-SELF-PMAP

Zone-pair name SELF-TO-OUTSIDE
Source-Zone self Destination-Zone OUTSIDE
service-policy FROM-SELF-PMAP

class-map type inspect match-any TO-SELF-CMAP
match access-group name INTERNET_IN
class-map type inspect match-any ALL-PROTOCOLS-CMAP
match protocol tcp
match protocol udp
match protocol icmp

r2-customer#sh access-list INTERNET_IN
Extended IP access list INTERNET_IN
10 permit udp any eq bootps any eq bootpc
50 permit icmp any host 1.1.1.243 echo (1 match)
60 permit icmp any host 1.1.1.243 echo-reply
70 permit icmp any host 1.1.1.243 unreachable
80 permit icmp any host 1.1.1.243 time-exceeded
90 permit icmp any host 1.1.1.243 administratively-prohibited
100 permit icmp any host 1.1.1.243 packet-too-big
110 permit esp any host 1.1.1.243
120 permit udp any host 1.1.1.243 eq isakmp (5 matches)
130 permit udp any host 1.1.1.243 eq non500-isakmp
140 permit gre any host 1.1.1.243

class-map type inspect match-any SPECIFIC-PROTOCOLS-CMAP
match protocol ftp
match protocol dns
match protocol h323
match protocol http
match protocol https
match protocol smtp
match protocol tftp
match protocol telnet
match protocol ssh
match protocol pop3
match protocol ntp
class-map type inspect match-any ALLOWED-PROTOCOLS-CMAP
match class-map SPECIFIC-PROTOCOLS-CMAP
match class-map ALL-PROTOCOLS-CMAP
class-map type inspect match-any TO-SELF-CMAP-TESTGLENN
match class-map SPECIFIC-PROTOCOLS-CMAP
match class-map ALL-PROTOCOLS-CMAP
!
policy-map type inspect IN-TO-OUT-PMAP
class type inspect ALLOWED-PROTOCOLS-CMAP
inspect TIMERS
class class-default
drop
!
policy-map type inspect FROM-SELF-PMAP
class type inspect ALLOWED-PROTOCOLS-CMAP
inspect TIMERS
class class-default
pass
!
policy-map type inspect TO-SELF-PMAP
class type inspect TO-SELF-CMAP
inspect
class class-default
drop

------------Interfaces---------------------------------------

r2-customer#sh run int g0/0/0.1
Building configuration...

Current configuration : 471 bytes
!
interface GigabitEthernet0/0/0.1
description Default LAN
encapsulation dot1Q 1 native
vrf forwarding INTERNAL
ip address 10.144.50.236 255.255.255.0
no ip redirects
ip nat inside
zone-member security INSIDE
end

r2-customer#
r2-customer#

r2-customer#sh run int vasileft1
Building configuration...

Current configuration : 177 bytes
!
interface vasileft1
description VASI InterVrf interface in INTERNAL
vrf forwarding INTERNAL
ip address 172.30.248.185 255.255.255.252
zone-member security INSIDE
no keepalive
end

r2-customer#sh run int vasiright1
Building configuration...

Current configuration : 204 bytes
!
interface vasiright1
description VASI InterVrf interface in INTERNET
vrf forwarding INTERNET
ip address 172.30.248.186 255.255.255.252
ip nat inside
zone-member security OUTSIDE
no keepalive
end

r2-customer#sh run int g0/0/1
Building configuration...

Current configuration : 369 bytes
!
interface GigabitEthernet0/0/1
description Internet Access
bandwidth 5120
vrf forwarding INTERNET
ip address 1.1.1.243 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security OUTSIDE
negotiation auto
no cdp enable
end

---------------NAT Config-----------------------------

ip nat pool INTERNET 1.1.1.243 1.1.1.243 prefix-length 29
ip nat inside source route-map NAT-TO-INTERNET pool INTERNET vrf INTERNET match-in-vrf overload

----------------Routing--------------------------------

ip route vrf INTERNAL 0.0.0.0 0.0.0.0 vasileft1 172.30.248.186 name default_thru_vasileft

ip route vrf INTERNET 0.0.0.0 0.0.0.0 1.1.1.241
ip route vrf INTERNET 10.144.50.0 255.255.255.0 vasiright1 172.30.248.185 name inside_thru_vasiright