Hi,

I have a setup where we have a 4331 router which is running 2 client VRFs and the internet facing interface is in the global VRF which both client VRFs will use for internet and VPN connectivity.

We have a situation where when need to configure a VPN on our 4331 from VRF-A to a client, The issue is that there is an overlap in networks and we need to hide the ip subnet from behind VRF-A to something the client has available on their side. I have managed to do this with the below command and the VPN comes up, connectivity between the two sites works with initiating traffic from both sides working however the subnet within VRF-A now no longer has internet access as its just get NAT'd to the statement below and dies when it goes outside. It then ignores the overload statement to use the public IP. 

     ip nat inside source static network 172.16.1.0 10.10.10.0 /24 vrf VRF-A

There doesn't appear to be a way to add a route-map to the above to exclude unwanted traffic from the NAT rule and trying to do a NAT pool with the following I lose the ability to enter the command "reversible" when i assign it to a vrf and that stops client initiated traffic if our side hasn't connected first. 

     ip nat inside source route-map VRF-A-RMAP-NAT pool VRF-A-POOL vrf VRF-A

Anyone know of a way to combat overlapping subnets when going over an IPSEC VPN, using a VRF setup and specify exactly what will trigger the "ip nat inside source static network" command?

Many thanks,

Richard