Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I cannot get NAT working between an inside and outside interface that are part of the same VRF. I cannot use a NAT pool because I am using a DSL modem that only allows one public IP address. The outside interface is ethernet, and the inside interface is a tunnel. Here is my configuration:

ip vrf PUBLIC

ip inspect log drop-pkt
ip inspect name LOCALFW tcp
ip inspect name LOCALFW udp

interface Tunnel0
ip vrf forwarding PUBLIC
ip address
ip nat inside
no ip virtual-reassembly
tunnel source Loopback0
tunnel destination
interface FastEthernet0/0
ip vrf forwarding PUBLIC
ip address
ip nat outside
ip inspect LOCALFW in
no ip virtual-reassembly
duplex auto
speed auto

ip route vrf PUBLIC
ip route vrf PUBLIC

access-list 10 permit log
ip nat source list 10 interface FastEthernet0/0 vrf PUBLIC overload
access-list 10 permit log

#sho ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Inside interfaces:
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 5] access-list 10 interface FastEthernet0/0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Does anyone have any ideas why NAT is not working?

Thanks for your help.

Bill Anderson

Technical Services Group
Supporting the Department of Economic Development
Information Technology Services Division
State of MO Office of Administration

Everyone's tags (4)

Re: VRF Aware NAT

Do you have an RD (route-distinguisher) for your PUBLIC vrf?  I don’t notice it in your config.  If not you should have one.

I know this sounds like witchcraft but I’ve run across some IOS revisions were a standard ACL won’t work for VRF aware NAT.  Try using an extended ACL; for example:

Access-list 100 permit ip any

If that doesn’t work try a route-map that references the extended ACL. I know this sounds odd but I’ve run into different IOS revisions where this approach is nescesarry.

Christopher Gatlin


Re: VRF Aware NAT

Also enable ip virtual-reassembly on the affected intefaces as it seems NAT may require this for interfaces with VRF membership.