Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Need help configuring NAT on ASR for internet using VRF's for IPSEC VPN's

I am working with an ASR 1006 that is used strictly for IPSEC VPN tunnels and am utilizing VRF's to segregate traffic to support instances where tunnels may be using the same IP scheme.

Occasionally, it would be beneficial to allow access to the internet for downloading drivers and such.

So far, all of the supporting documentation for internet access via VRF refers to MPLS connections.


Any help would be appreciated.


Here is how one of the tunnels is configured for TEST VRF.


vrf definition TEST
 rd 22:22
 address-family ipv4


crypto keyring TEST
  pre-shared-key address x.x.x.x key 6 Y`J`B]Q\YFOW\HW[BWCbOf_]QTWggK\ER

crypto isakmp profile TEST
   vrf TEST
   keyring TEST
   match identity address x.x.x.x

crypto map OUTSIDE 5 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-256-SHA
 set isakmp-profile TEST
 match address TEST


interface GigabitEthernet1/0/0
 ip address #.#.#.#
 negotiation auto
 crypto map OUTSIDE

interface GigabitEthernet1/0/1.22
 encapsulation dot1Q 22
 vrf forwarding TEST
 ip address

ip forward-protocol nd

ip route #.#.#.#

ip route vrf TEST #.#.#.# global

ip access-list standard VTY
 permit any

ip access-list extended TEST
 permit ip







Hello You need to have a VRF



You need to have a VRF nat and VRF default route to accomplish this

interface GigabitEthernet1/0/1.22

ip nat inside

interface GigabitEthernet1/0/0

ip nat outside

ip route vrf TEST <XXXXX) global

ip nat inside source list <acl to allow the private pool>  pool <pool to specify the public> vrf  TEST




CreatePlease to create content