I have a router with an Internet connection in its global vrf, and a VLAN interface in vrf internal. The global vrf is running public addresses, the internal vrf uses RFC1918 addresses
What I want to do is take traffic entering on the Internet connection, apply a NAT to it, then pass it to a server connected via the internal VLAN
To achieve the NAT, I proposed setting up the internet connection with "ip nat outside" and the internal vrf interface with "ip nat inside.
Then, to ensure that the NAT-ed packet could get to the server on vrf internal, I wanted to avoid route leaking if I could, and so proposed using a routing statement in the global vrf :
ip route 10.0.0.0 255.0.0.0 10.1.1.1
i.e. to get to network 10/8, go via 10.1.1.1, which is a router, directly connected over the internal VLAN in which vrf internal operates.
Is that the right way to do this, or is there a better/simpler/more robust way of doing this.
Thanks for any help
Your static NAT statement is missing the VRF:
ip nat inside source static 192.168.1.10 10.0.0.2 vrf Core
Just like the previously-discussed route statement, NAT assumes that you're working entirely within the global routing table unless you tell it otherwise.
There may be more to it than this, but give that a shot first.