Need help configuring NAT on ASR for internet using VRF's for IPSEC VPN's

TracyMcClain · ‎09-30-2014

I am working with an ASR 1006 that is used strictly for IPSEC VPN tunnels and am utilizing VRF's to segregate traffic to support instances where tunnels may be using the same IP scheme.

Occasionally, it would be beneficial to allow access to the internet for downloading drivers and such.

So far, all of the supporting documentation for internet access via VRF refers to MPLS connections.

Any help would be appreciated.

Here is how one of the tunnels is configured for TEST VRF.

vrf definition TEST
rd 22:22
!
address-family ipv4
exit-address-family
!

crypto keyring TEST
pre-shared-key address x.x.x.x key 6 Y`J`B]Q\YFOW\HW[BWCbOf_]QTWggK\ER
!

crypto isakmp profile TEST
vrf TEST
keyring TEST
match identity address x.x.x.x 255.255.255.255
!

crypto map OUTSIDE 5 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-256-SHA
set isakmp-profile TEST
match address TEST

interface GigabitEthernet1/0/0
ip address #.#.#.# 255.255.255.224
negotiation auto
crypto map OUTSIDE
!

interface GigabitEthernet1/0/1.22
encapsulation dot1Q 22
vrf forwarding TEST
ip address 10.0.0.1 255.255.255.0
!

ip forward-protocol nd
!

ip route 0.0.0.0 0.0.0.0 #.#.#.#

ip route vrf TEST 192.168.0.0 255.255.255.0 #.#.#.# global

ip access-list standard VTY
permit any
!

ip access-list extended TEST
permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

Harish Balakrishnan · ‎10-09-2014

Hello

You need to have a VRF nat and VRF default route to accomplish this

interface GigabitEthernet1/0/1.22

ip nat inside

interface GigabitEthernet1/0/0

ip nat outside

ip route vrf TEST 0.0.0.0 0.0.0.0 <XXXXX) global

ip nat inside source list <acl to allow the private pool> pool <pool to specify the public> vrf TEST

regards

Harish