Thanks for your reply MHM ,
I saw some papers saying that NVI is not supported on IOS XE, but my question is "why it work on the first one?"
As I said, the first router run with Cisco IOS XE which is an
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)
The second is
Cisco IOS XE Software, Version 16.09.05
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.5, RELEASE SOFTWARE (fc1

Both are ISR4321
So why does it work on the first.
And do you think I can ftp/downgrade the second one with the 15.5 IOS?

can you explain issue may be we can solve with downgrade, 
do you want hairpin for specific traffic ?

In my topology, I have three networks:
- Customer Network (differents entries point on leased lines, L3 Tunnel, MPLS, IPSec and others)
- Production Network (wich is hosting SERVERS)
- Developpement Network (all of the IT Staff).
A router is between Prod and Dev networks and another one between Customers Network Entry Point
I need translation from Dev Network to Prod Network.
But to assume a particular service, one of the interfaces can be the INSIDE for some translations, and can be the OUTSIDE for ohters.
So it work fine with the "IP NAT ENABLE" of this interface on my first router.
I have to configure a router for spare but this new one don't accept this statement.

Hello,

I don't really get it either. I am running 17.3 XE in a sandbox lab, and NVI is available:

dist-rtr02(config-if)#ip nat ?
allow-static-host Allow static-ip clients
enable Enable interface for address translation
inside Inside interface for address translation
outside Outside interface for address translation
stick Stick(Hairpin) interface for address translations

Hello Georg,
I have done this :
 - downgrade the v.16 at 15.5 level.
 - restart in 15.5
 - check ip nat enable : don't work!!!
 - check if  I am really in v15.5: yes

So, it appears that it is not a IOS version problem!
Probably a platform difference, even if the routers are 2 ISR 4321, (but buy with 3 years difference) ?
I think I will have to open a CASE at Cisco Support, because I want to have an explain on that for the future.

since the ASR dont have NVI then we will return to old way 
config Loopback interface config it as IP NAT INSIDE

config PBR in subnet you want to NAT for some traffic and not NAT for other,
you can select the traffic with ACL 
match this ACL and set interface as Loopback.

this will send traffic need to NAT to LO and hit the IP NAT INSIDE and using dynamic or static make traffic NAT 
other traffic will pass without go to LO and not hit IP NAT INSIDE and hence pass without any NATing.

this OLD and if you want do lab in gns3 and I will help you.

Hi Paul,
Yes, they both have the same licenses:
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
appxk9 disable None disable
uck9 None None None
securityk9 securityk9 Permanent securityk9
ipbase ipbasek9 Permanent ipbasek9

About domain nat:
The VLAN1 is uses as INSIDE for the DEVeloppement STAFF (192.168.1.254/24).
The PROD-VLAN is used as OUTSIDE for the servers (PRODUCTION Network) (192.168.2.254/24)
This router is also VPN L2TP access server, on a 3rd interface connected to Internet.
This VPN offer  10.0.1.0/24 addresses and routes for the 3 standard classes of Private Addesses .
This Virtual Interface is INSIDE.
The staff connected to this VPN can access the PRODuction network after a translation on the Vlan1 Network. So, the VLAN 1 become the outside Interface.
In this scenario, I have :
DEV-TO-PROD access-list:
   permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
VPN-TO-DEV access-list
   permit 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
IP ROUTES
   ip route 0.0.0.0 0.0.0.0 192.168.2.253
My NATs lines:
   nat DEV-PROD-Acl   to Interface PROD-VLAN
   nat VPN-TO-DEV-Acl to Interface VLAN1

I can't simply use a translation of 10.0.1.0 to 192.168.2.0, because 10.0.1.0 addresses may be able to use 192.168.1.0 devices, nor 192.168.1.0 and 192.168.2.0 don't have to know existance of 10.0.1.0 network.

Hope this is not confuse

Regards

Hello

---

@sadavir.sampath wrote:

The staff connected to this VPN can access the PRODuction network after a translation on the Vlan1 Network. So, the VLAN 1 become the outside Interface.

10.0.1.0 addresses may be able to use 192.168.1.0 devices, nor 192.168.1.0 and 192.168.2.0 don't have to know existance of 10.0.1.0 network.

---

Are you saying you do not wish for production or vlan1 to be able to access VPN subnet, but VPN is  able to reach production?

Hello,
>>Are you saying you do not wish for production or vlan1 to be able to access VPN subnet, but VPN is able to reach production?
Yes, that is.
Regards,
Sadavir