I have a trouble with NAT connection on Cisco 2911 ISR. I cannot connect to the NAT port from PC on same VRF. But it connection work properly if I try do it from another VRF on same router. Can you help me fix it?
Spoiler
version 15.2 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname bgr-03 ! boot-start-marker boot-end-marker ! logging buffered 51200 logging rate-limit all 10 except critical logging monitor informational ! aaa new-model ! aaa authentication login local_auth local ! aaa session-id common clock timezone MSK 3 0 ! ip cef ! ip vrf VRF20 ! ip vrf VRF30 ! no ip domain lookup ipv6 spd queue min-threshold 62 ipv6 spd queue max-threshold 63 no ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! license udi pid CISCO2911/K9 sn FFFFFFFFFFF license boot module c2900 technology-package securityk9 license boot module c2900 technology-package uck9 license boot module c2900 technology-package datak9 ! vtp mode transparent ! redundancy ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip vrf forwarding VRF20 ip address 10.0.20.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip vrf forwarding VRF30 ip address 10.0.30.1 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1 ip vrf forwarding VRF20 ip address 1.1.1.2 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly in load-interval 30 duplex auto speed auto no cdp enable ! interface GigabitEthernet0/2 ip vrf forwarding VRF30 ip address 1.1.1.3 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly in load-interval 30 duplex auto speed auto no cdp enable ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat translation timeout 7200 ip nat translation tcp-timeout 7200 ip nat inside source list NAT_VRF20 interface GigabitEthernet0/1 vrf VRF20 overload ip nat inside source list NAT_VRF30 interface GigabitEthernet0/2 vrf VRF30 overload ip nat inside source static tcp 10.0.20.2 3389 1.1.1.2 3389 vrf VRF20 extendable ip nat inside source static tcp 10.0.30.2 3389 1.1.1.3 3389 vrf VRF30 extendable ip route vrf VRF20 0.0.0.0 0.0.0.0 1.1.1.1 ip route vrf VRF30 0.0.0.0 0.0.0.0 1.1.1.1 ! ip access-list extended NAT_VRF20 deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.0.20.0 0.0.0.255 any ip access-list extended NAT_VRF30 deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 10.0.30.0 0.0.0.255 any ! control-plane ! mgcp profile default ! gatekeeper shutdown ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input none ! scheduler allocate 20000 1000 ! end
