Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need help configuring NAT on ASR for internet using VRF's for IPSEC VPN's

I am working with an ASR 1006 that is used strictly for IPSEC VPN tunnels and am utilizing VRF's to segregate traffic to support instances where tunnels may be using the same IP scheme.

Occasionally, it would be beneficial to allow access to the internet for downloading drivers and such.

So far, all of the supporting documentation for internet access via VRF refers to MPLS connections.

 

Any help would be appreciated.

 

Here is how one of the tunnels is configured for TEST VRF.

 

vrf definition TEST
 rd 22:22
 !
 address-family ipv4
 exit-address-family
!

 

crypto keyring TEST
  pre-shared-key address x.x.x.x key 6 Y`J`B]Q\YFOW\HW[BWCbOf_]QTWggK\ER
!

crypto isakmp profile TEST
   vrf TEST
   keyring TEST
   match identity address x.x.x.x 255.255.255.255
!

crypto map OUTSIDE 5 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-AES-256-SHA
 set isakmp-profile TEST
 match address TEST

 

interface GigabitEthernet1/0/0
 ip address #.#.#.# 255.255.255.224
 negotiation auto
 crypto map OUTSIDE
!

interface GigabitEthernet1/0/1.22
 encapsulation dot1Q 22
 vrf forwarding TEST
 ip address 10.0.0.1 255.255.255.0
!

ip forward-protocol nd
!

ip route 0.0.0.0 0.0.0.0 #.#.#.#

ip route vrf TEST 192.168.0.0 255.255.255.0 #.#.#.# global

ip access-list standard VTY
 permit any
!

ip access-list extended TEST
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

 

 

 

 

 

1 REPLY

Hello You need to have a VRF

Hello

 

You need to have a VRF nat and VRF default route to accomplish this

interface GigabitEthernet1/0/1.22

ip nat inside

interface GigabitEthernet1/0/0

ip nat outside

ip route vrf TEST 0.0.0.0 0.0.0.0 <XXXXX) global

ip nat inside source list <acl to allow the private pool>  pool <pool to specify the public> vrf  TEST

 

regards

Harish

253
Views
0
Helpful
1
Replies
CreatePlease to create content