VRF-aware NAT And Port Forwarding

From Baranoski.ca
Jump to: navigation, search

As I mentioned in DMVPN With Internet In A Separate VRF, I'm a fan of keeping Internet traffic in a VRF. What happens if you're using the router as a firewall and need to do some NATs?

Many-To-One NAT

Here is your general NAT, for all inside hosts to use the WAN IP of the router in the INTERNET VRF. Note that you can just use the interface name here, but you do need to specify the VRF; it won't just implicitly figure out which VRF to use, going by the specified interface.

ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload

Port Forwarding In A VRF

If you need to forward ports, the syntax is slightly different. You cannot specify the interface here. You have to specify the WAN IP in order to get the corresponding VRF.

ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET