VRF-aware NAT And Port Forwarding
As I mentioned in DMVPN With Internet In A Separate VRF, I'm a fan of keeping Internet traffic in a VRF. What happens if you're using the router as a firewall and need to do some NATs?
Here is your general NAT, for all inside hosts to use the WAN IP of the router in the INTERNET VRF. Note that you can just use the interface name here, but you do need to specify the VRF; it won't just implicitly figure out which VRF to use, going by the specified interface.
ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNET overload
It seems that Cisco changed a behavior at some point. Now the VRF specified needs to be the internal VRF not the external
ip nat inside source list NAT_TO_EXTERNAL interface GigabitEthernet0/1.10 vrf INTERNAL overload
Port Forwarding In A VRF
If you need to forward ports, the syntax is slightly different. You cannot specify the interface here. You have to specify the WAN IP in order to get the corresponding VRF.
ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNET
Same as above, the internal VRF needs to be specified.
ip nat inside source static tcp 192.168.1.12 21 192.0.2.1 2112 vrf INTERNAL