Dear all, I would like to get your feedback on an issue we have been facing on our ASR. We have been using our ASR to provide our clients with a dedicated VRF. Each VRF is granted internet access via and VRF Internet shared where we do some sort of segmentation for bandwidth. We use VRF lite with a BGP routing protocol between VRF client and VRF Internet. It was not really necessary to use BGP but our integrator told us that it could be useful at some point.
We have a pool of public IPs that we allocate to our clients, so basically, a client could access the internet via a shared public IP address or we can allocate a specific public IP if needed. To achieve that, we use NAT rules with overload for shared access or some static NAT rules. Each VRF client is an IP NAT inside and the VRF Internet is IP NAT outside basically Now, the problem we have is when a client is trying to reach a resource in another VRF that is NATed on a public IP. If we import / export the VRF, no problem, we can access the resource using the private IP address range. Now, if on the ASR, we set a NAT static from one public IP to a private IP in the VRF, then if our client is trying to access this public IP, it is not working (although with the private IP is). The public IP is not assigned to an interface, so it is not existing except via the static NAT rule. The initial design was propsed by our integrator but they have not been able to solve this issue. After some googling, we found the traditional solution such as NAT on stick, but I think it is not really a clean solution. I looked into the VASI interface as well, but I am not sure if this is the right solution. The NVI solution was working fine on IOS 15, but is not implemented on IOS XR. Any thoughts or ideas on this would be really appreciated. Thanks in advance, Lionel _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/