NAT + route-map

Unanswered Question
Mar 28th, 2008

Hi All

I wonder if someone can help me with a NAT problem.

It's seems to be a relatively simple setup, but I cant get it to work properly.

Ive set up a simple lab as follows:


laptop1-eth1 =

laptop1-eth1:1 =

fe0/1 =

fe0/1 = (secondary)

fe0/0 =

laptop2 =

Now, when laptop2 pings, I want the router to NAT the source into something (say

But I *dont* want it to NAT when pinging

So I figure I need a NAT rule with a route-map/access-list. Here is my config:


int fa0/0

ip nat inside


int fa0/1

ip nat outside


ip nat inside source static network /24 route-map nat


access-list 101 permit ip any


route-map nat permit 10

match ip address 101

set ip next-hop


The thing is, the route-map seems to match (debug ip nat detail gives: "NAT: map match nat") but the actual NAT'ing does not take place

(there are no translations and tcpdump on laptop 1 shows original source IP address).

Have I missed something here?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thotsaphon Fri, 03/28/2008 - 02:44

Hi Matthew,

Do you want to use route-map commands to do nat operations?

I would not use a set ip next-hop command in this case.

For testing

ip nat inside source static network /24 route-map nat


access-list 101 permit ip any


route-map nat permit 10

match ip address 101

Let's us know how things work out.


mattbauer Fri, 03/28/2008 - 03:13

Hi Thot

Actually Ive tried not using the set ip next-hop also. Doesnt seem to have any effect either way.

If I dont use the route-map at all, the NAT works fine (for all packets), but putting in this simple route-map/access-list seems to kill the nat altogether.

mattbauer Fri, 03/28/2008 - 03:32

Just to add some more info...

A "sho ip access-lists" shows that my access list is being matched

But a "show route-map" says:

"Policy routing matches: 0 packets, 0 bytes"

On the other hand, a "debug ip nat detail" says:

"NAT: map match nat" for every packet that is sent.

...but the final result is still the same. the packets arent being NAT'd for some reason.

thotsaphon Fri, 03/28/2008 - 09:13

Hi Matthew,

please post "debug ip nat detail" & "show ver" outputs here.

Kind Regards

Thot Fri, 03/28/2008 - 19:51

Hi Matt,

Can you please provide o/p of "debug ip nat detail" as well as " sh ip nat translations" I think the problem lies in the port translation.

I cant confirm on this unless i get the outputs. Also, i'll try to simulate your scenario in my lab and let u know.



Nikhil E.

thotsaphon Sun, 03/30/2008 - 00:22

Hi Matthew,

I would recommend you to upgrade IOS to a new version that hardware supports.

I just read information you provided. It didn't make me completely clear about nat information as expected.

Let us know how things work out


mattbauer Sun, 03/30/2008 - 16:39

Hi Thot

Yes, that was going to be my next step. I figured there may be something wrong with the sequence of events (routing/acl/nat/etc). Bug maybe?

But actually, I ran out of time and used a dedicated box for NAT'ing those specific networks instead of policy routing.

Would still be interested if anyone has a solution.

Thanks again.



This Discussion