NAT + route-map

Unanswered Question
Mar 28th, 2008
User Badges:

Hi All


I wonder if someone can help me with a NAT problem.

It's seems to be a relatively simple setup, but I cant get it to work properly.


Ive set up a simple lab as follows:


laptop1<-->fe0/1-router-fe0/0<-->laptop2


laptop1-eth1 = 1.1.1.100

laptop1-eth1:1 = 10.1.1.100

fe0/1 = 1.1.1.1

fe0/1 = 10.1.1.1 (secondary)

fe0/0 = 2.2.2.1

laptop2 = 2.2.2.100



Now, when laptop2 pings 1.1.1.100, I want the router to NAT the source into something (say 200.0.0.0/24).

But I *dont* want it to NAT when pinging 10.1.1.100.


So I figure I need a NAT rule with a route-map/access-list. Here is my config:



----------config-------------

int fa0/0

ip nat inside

!

int fa0/1

ip nat outside

!

ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat

!

access-list 101 permit ip any 1.1.1.0 0.0.0.255

!

route-map nat permit 10

match ip address 101

set ip next-hop 1.1.1.100

----------/config-------------



The thing is, the route-map seems to match (debug ip nat detail gives: "NAT: map match nat") but the actual NAT'ing does not take place

(there are no translations and tcpdump on laptop 1 shows original source IP address).


Have I missed something here?


TIA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thotsaphon Fri, 03/28/2008 - 02:44
User Badges:
  • Gold, 750 points or more

Hi Matthew,

Do you want to use route-map commands to do nat operations?

I would not use a set ip next-hop command in this case.

For testing


ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat

!

access-list 101 permit ip any 1.1.1.0 0.0.0.255

!

route-map nat permit 10

match ip address 101


Let's us know how things work out.

Thot



mattbauer Fri, 03/28/2008 - 03:13
User Badges:

Hi Thot

Actually Ive tried not using the set ip next-hop also. Doesnt seem to have any effect either way.


If I dont use the route-map at all, the NAT works fine (for all packets), but putting in this simple route-map/access-list seems to kill the nat altogether.

mattbauer Fri, 03/28/2008 - 03:32
User Badges:

Just to add some more info...

A "sho ip access-lists" shows that my access list is being matched

But a "show route-map" says:

"Policy routing matches: 0 packets, 0 bytes"

On the other hand, a "debug ip nat detail" says:

"NAT: map match nat" for every packet that is sent.


...but the final result is still the same. the packets arent being NAT'd for some reason.

thotsaphon Fri, 03/28/2008 - 09:13
User Badges:
  • Gold, 750 points or more

Hi Matthew,

please post "debug ip nat detail" & "show ver" outputs here.


Kind Regards

Thot

nikhil.engineer Fri, 03/28/2008 - 19:51
User Badges:

Hi Matt,


Can you please provide o/p of "debug ip nat detail" as well as " sh ip nat translations" I think the problem lies in the port translation.


I cant confirm on this unless i get the outputs. Also, i'll try to simulate your scenario in my lab and let u know.


HTH.


Cheers,

Nikhil E.

thotsaphon Sun, 03/30/2008 - 00:22
User Badges:
  • Gold, 750 points or more

Hi Matthew,

I would recommend you to upgrade IOS to a new version that hardware supports.

I just read information you provided. It didn't make me completely clear about nat information as expected.


Let us know how things work out

Thot

mattbauer Sun, 03/30/2008 - 16:39
User Badges:

Hi Thot

Yes, that was going to be my next step. I figured there may be something wrong with the sequence of events (routing/acl/nat/etc). Bug maybe?


But actually, I ran out of time and used a dedicated box for NAT'ing those specific networks instead of policy routing.


Would still be interested if anyone has a solution.


Thanks again.

Matt

Actions

This Discussion