Showing results for 
Search instead for 
Did you mean: 

MPLS VPN Internet Access NAT



i'd like to enable internet access to a customers of a MPLS VPN. I'd like to know if the IP address of the link between CE (Customer) and PE (Service Provider) must be public or private. Many example use private address, but i don't know if it's true in the real word. Should i use public ip with NAT on CE?

Thanks a lot


Nagendra Kumar Nainar
Cisco Employee
Cisco Employee


It is not mandatory to have public IP between PE-CE for internet traffic. What is the address range (for user/LAN) in customer site. Is it public or private?.


If public, you dont need NAT. If privtae, you may need NAT. 

In the Attachment the topology. I'd like use private IP on LAN and i also wanto to provide internet access to ther user. So User/LAN use private address, and i want to nat them when they connect to the Internet.

Is correct this configuration?


fa0/0 (user-facing interface)

ip address

no shut

fa0/1 (PE-facing interface)

ip addres

no shut

ip nat source static      ( one user)




fa0/0 (ce-facing interface)

ip address

ip vrf forwarding GREEN


ip vrf GREEN GW-1 global

ip route fa0/0

router ospf 1

redistribute static


i had omitted some config

Thanks a lot



the only reason I can come up with to use public address is resolving the host name of the router when using traceroute or something similar. Otherwise, it is not necessary.

Based on your topology, using the subnet mask of 24 for you public IP is not correct.

As for Nat, some commands are missing. IP Nat inside and outside. And also it works when only one user is behind the router (only Nat works for

I hope it helps

Hi, i used the /24 in the public address only for example without care about wasting of IP address :)

to complete the NAT i used:

CE fa0/0 ip nat inside

CE fa0/1 ip nat outside


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: