Had a hard time finding good documentation for this, but this is what I did in the lab for a NAT-PE:
*RTR-5#sh run | sec vasi* interface vasileft1 vrf forwarding V102 ip address 169.254.0.0 255.255.255.254 ip nat outside no keepalive interface vasiright1 vrf forwarding V101 ip address 169.254.0.1 255.255.255.254 no keepalive end ip route vrf V101 <PUBLIC> 255.255.255.255 vasiright1 169.254.0.0 ip route vrf V102 0.0.0.0 0.0.0.0 vasileft1 169.254.0.1 *RTR-5#sh run | sec ^ip nat* ip nat pool POOL1 <PUBLIC> <PUBLIC> netmask 255.255.255.255 ip nat inside source list V102-NAT pool POOL1 vrf V102 match-in-vrf overload *RTR-5#sh run int g0/0/1* interface GigabitEthernet0/0/1 description RTR-1(G2/47) mtu 9216 ip unnumbered Loopback0 no ip redirects ip nat inside ip ospf network point-to-point ip ospf ttl-security ip ospf 10 area 0 negotiation auto ipv6 enable no ipv6 redirects mpls ip ospfv3 network point-to-point ospfv3 10 ipv6 area 0 end *RTR-5#sh run int g0/0/2* interface GigabitEthernet0/0/2 description RTR-2(G2/47) mtu 9216 ip unnumbered Loopback0 no ip redirects ip nat inside ip ospf network point-to-point ip ospf ttl-security ip ospf 10 area 0 negotiation auto ipv6 enable no ipv6 redirects mpls ip ospfv3 network point-to-point ospfv3 10 ipv6 area 0 end Not entirely intuitive but this worked in the lab... Tim:> On Tue, Nov 1, 2016 at 3:53 PM Jason Lixfeld <ja...@lixfeld.ca> wrote: > Hi, > > I’m trying to find some documentation to help me understand if it’s > possible to integrate VASI (IOS XE) NAT between two MPLS VPNs. The > examples that I have seen so far seem to imply that a physical interface on > the left and right sides, each attached to separate VRFs are required, and > my attempts to do this on MPLS interfaces on the left and right sides > instead of VRF interfaces have so far been unsuccessful. My hope is that I > can use vasileft and vasiright to stitch together two VRFs, with vasileft > being ip nat inside and vasiright being ip nat outside. > > Has anyone seen any docs for deployments along these lines in their > travels whose links they might be able to share? > > Thanks in advance. > > Full disclosure - I am testing this in VIRL using CSR1000v nodes because > the physical hardware for this deployment will be IOS-XE ASR1002 boxes. I > am assuming the CSR1000v will be an appropriate virtual substitute. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/