Thanks for the response - Any reason not to use "ip nat enable"?

This PE has two FE feeds - One that connects to the rest of the network and runs mpls(So reluctant to enable nat on this interface), the other runs dot1q, and was to be used exclusively for Internet Access for VRF's (Each vrf being assigned there own dot1q Int to allow for easier accounting of Internet traffic used) - Hence the reason I wanted to just use "ip nat enable" on the dot1q Ints, and then assign them to vrfs for Internet Access.

Is the above do-able?

I just prefer to use 'ip nat [inside|outside]' - old habits dies hard ! But I believe that you could use either.

What you are after is certainly do-able. Take my config and instead of configuring 'ip nat inside' on the MPLS interfaces, configure it on the dot1q interfaces...

Hope that helps - pls rate the post if it does.

Paresh

Thanks - So I'm guessing I would need to enable "ip nat outside" on the other side(i.e. Another Router) of the dot1q /30? Pretty sure the IOS on that router doesn't support nat(Service Provider).

Not really. You would configure 'ip nat outside' on the interface to the Internet on the same router (in my config, I had it on fast0/0.22)

Hope that helps - pls rate the post if it does.

Paresh

Ok - This is what I currently have:

!

interface FastEthernet0/0.22

description NAT INT for VRF TEST to ERT02-BNE

encapsulation dot1Q 22

ip address 203.149.77.38 255.255.255.252

ip nat outside <-- Also tried "ip nat inside"

no snmp trap link-status

!

ip route 203.149.77.44 255.255.255.252 Null0

ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252

ip nat source list 1 pool NAT vrf TEST10 overload

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

Attempting to get(trace/ping) to any address not within the vrf TEST10 (From device in vrf TEST10) results in timeout at 203.149.77.38 router.

Trace'ing with a source IP of 203.149.77.38 to an Internet address is successful

#sh ip route vrf TEST10

Routing Table: TEST10

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 203.149.77.37 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C 10.0.0.2/32 is directly connected, Virtual-Access7

B 10.0.3.0/24 [200/0] via 203.149.76.248, 3w0d

C 10.0.0.0/24 is directly connected, Loopback10

B 10.0.6.0/24 [200/0] via 203.149.76.250, 1w5d

B 10.0.7.0/24 [200/0] via 203.149.76.247, 1w4d

B 10.0.5.0/24 [200/0] via 203.149.76.249, 3w6d

U 192.168.1.0/24 [1/0] via 10.0.0.2

S* 0.0.0.0/0 [1/0] via 203.149.77.37, FastEthernet0/0.22

John,

Which of your interface goes to the Internet ?

Paresh

interface FastEthernet0/0.22 has Internet Access.

Then that interface should be configured as the outside NAT interface.

Another Q: which interface belongs to the TEST10 VRF ? That interface should be configured as the inside NAT interface.

Paresh

Ahh - There's my problem - TEST10 vrf are all DSL services(L2TP vpdn's) being placed into vrf TEST10 via Radius reply attribute...so they are all virtual-access ints dynamically created once the authenticate.

Ok.. so make sure that you have 'ip nat inside' configured on the virtual-template and this should work.

Paresh

Thanks for the assistance thus far Paresh - Greatly apperciated....I had already tried that...unfortunately still no joy:

interface FastEthernet0/0.22

description NAT INT for VRF TEST to ERT02-BNE

encapsulation dot1Q 22

ip address 203.149.77.38 255.255.255.252

ip nat outside

no ip virtual-reassembly

no snmp trap link-status

interface Virtual-Template1

description L2TP-1 Termination

ip unnumbered Loopback1

ip nat inside

ip virtual-reassembly

qos pre-classify

ppp authentication chap callin

!

ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global

ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252

ip nat source list 1 pool NAT vrf TEST10 overload

access-list 1 permit 10.0.0.0 log

access-list 1 permit 192.168.1.0 0.0.0.255 log

Rebooted the test DSL router, but it still cannot get beyond the vrf.

If I do a:

#sh ip nat translations vrf TEST10

or

#sh ip nat translations

Should I be seeing something? At the moment there is nothing.

What source address are you pinging from ?

Paresh

Directly from ADSL router that is assinged 10.0.0.2 (WAN). I have also tried pinging with source IP of 192.168.1.1 (ADSL Router LAN IP)