Using "ip route 10.0.0.0 255.0.0.0 10.1.1.1" won't do what you need because the router will assume that your next hop is in the global routing table. If you need it to go to the VRF, you need to specify the VRF interface as part of the statement. Something like this:
ip route 10.0.0.0 255.0.0.0 Vlan1 10.1.1.1
Replace Vlan1 with whatever interface hosts your VRF. Similarly, your VRF will need a default route going out. This can be done the same way with:
ip route vrf VRF_LAN 0.0.0.0 0.0.0.0 GigabitEthernet0/0 x.x.x.x
Obviously, the VRF_LAN should be replaced with your internal VRF name, GigabitEthernet0/0 should be replaced with your Internet WAN interface and x.x.x.x should be replaced with your Internet next hop.
If you're getting DHCP/IPCP-assigned addresses from your ISP or are using BGP, then that second part might have to be done a little differently... but that's the basic idea.
Thanks for the suggestions, but I've misunderstood somewhere along the line.
I've modelled this in GNS 3, where I have the following:
R3 has address 192.168.1.2 on F0/1
R1 has 192.168.1.1 on F0/1 in the global VRF (NAT outside) and 10.0.0.1 on F0/0 in VRF Core (NAT inside)
R2 has address10.0.0.2 on F0/0
R2 and 3 have just the bare bones: an interface address
R1 has the following in its config
! interface FastEthernet0/0 ip vrf forwarding Core ip address 10.0.0.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.1.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 10.0.0.0 255.0.0.0 FastEthernet0/0 10.0.0.1 ip route vrf Core 0.0.0.0 0.0.0.0 FastEthernet0/0 192.168.1.1 no ip http server no ip http secure-server ! ! ip nat inside source static 192.168.1.10 10.0.0.2 ! I try pinging from R3 to R2 ("ping 192.168.1.10" which should xlate to 10.0.0.2) but get nothing back. if I look at Nat trans, I get
R1#show ip nat trans Pro Inside global Inside local Outside local Outside global --- 10.0.0.2 192.168.1.10 --- --- R1#
Well, that makes a lot of sense, so I spent a couple of hours on it last night and its got me a bit further. If I ping 192.168.1.10 from R3 now, I don't get any reply, but I get some translations occurring:
R1#show ip nat trans Pro Inside global Inside local Outside local Outside global icmp 192.168.1.10:7 10.0.0.2:7 192.168.1.1:7 192.168.1.1:7 --- 192.168.1.10 10.0.0.2 --- --- R1#
so that's a bonus :)
I changed the NAT statement as you suggested, but I also changed the routing statements to:
ip route 10.0.0.0 255.0.0.0 FastEthernet0/0 ip route vrf Core 192.168.1.0 255.255.255.0 FastEthernet0/1 192.168.1.1
so "sho ip ro" gives an output like this:
R1#sho ip ro
Gateway of last resort is not set
S 10.0.0.0/8 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/1
R1#sho ip ro vrf Core
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets C 10.0.0.0 is directly connected, FastEthernet0/0 S 192.168.1.0/24 [1/0] via 192.168.1.1, FastEthernet0/1
I've attached the configurations, they are pretty basic, I've been doing this as a Proof of Concept on GNS3.
I'll work on this over the weekend , I have a feeling I'm close, but if you have any further thoughts, I'm listening!
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...