[c-nsp] Cisco ASR 1000 and Hairpinning issue

[Lionel THAI]

Dear all,

I would like to get your feedback on an issue we have been facing on our
ASR. We have been using our ASR to provide our clients with a dedicated
VRF. Each VRF is granted internet access via and VRF Internet shared where
we do some sort of segmentation for bandwidth. We use VRF lite with a BGP
routing protocol between VRF client and VRF Internet. It was not really
necessary to use BGP but our integrator told us that it could be useful at
some point.

We have a pool of public IPs that we allocate to our clients, so basically,
a client could access the internet via a shared public IP address or we can
allocate a specific public IP if needed. To achieve that, we use NAT rules
with overload for shared access or some static NAT rules. Each VRF client
is an IP NAT inside and the VRF Internet is IP NAT outside basically

Now, the problem we have is when a client is trying to reach a resource in
another VRF that is NATed on a public IP. If we import / export the VRF, no
problem, we can access the resource using the private IP address range.
Now, if on the ASR, we set a NAT static from one public IP to a private IP
in the VRF, then if our client is trying to access this public IP, it is
not working (although with the private IP is). The public IP is not
assigned to an interface, so it is not existing except via the static NAT
rule.

The initial design was propsed by our integrator but they have not been
able to solve this issue.
After some googling, we found the traditional solution such as NAT on
stick, but I think it is not really a clean solution. I looked into the
VASI interface as well, but I am not sure if this is the right solution.
The NVI solution was working fine on IOS 15, but is not implemented on IOS
XR.

Any thoughts or ideas on this would be really appreciated.

Thanks in advance,

Lionel