Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3585
Views
0
Helpful
6
Replies

"ip nat inside source static network" with route-map

zhenxu_zj
Level 1
Level 1

‎06-19-2008 12:13 PM - edited ‎03-03-2019 10:25 PM

How would you use "ip nat inside source static network" with an route-map? The specific situation is:

Inside LAN: 192.168.1.0/24

The inside LAN address should be NAT'd to 172.30.11.0/24 only if the traffic is going to 172.30.10.0/24.

I have tried the following with no luck:

ip access-list extended nat-acl

permit ip 192.168.1.0 0.0.0.255 172.30.10.0 0.0.0.255

route-map nat-map permit 10

match ip addres nat-acl

ip nat inside source static network 192.168.1.0 172.30.11.0 /24 route-map nat-map

However, if the route-map is not specified in the "ip nat inside source static network", the translation works for all traffic.

On the other side, I was able to set this up with "ip nat pool" and route-map.

ip nat inside source list nat-acl route-map nat-map pool nat-pool

ip nat pool nat-pool 172.30.11.0 172.30.11.255 netmask 255.255.255.0 type match-host

Any advice is appreciated!

Thanks!

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎06-19-2008 01:00 PM

Zhen

The way you have set it up is the correct way although if you are not matching on something other than source & destination IP addresses you could just as easily have done

ip nat inside source list nat-acl pool nat-pool

ie. you only need a route-map if you want to match on other things such as next-hop ip address/output interface etc.

You would not use the static statement -

ip nat inside source static network 192.168.1.0 172.30.11.0 /24 route-map nat-map

because you are dynamically Natting source IP addresses not statically mapping them.

Hope this makes sense.

Jon

0 Helpful

zhenxu_zj
Level 1
Level 1
In response to Jon Marshall

‎06-19-2008 07:11 PM

Indeed, I do need static one-to-one mapping so that outside host (from 172.30.10.0/24) can access the internal host (182.168.1.0/24) via the nat'd outside address (172.30.11.0/24).

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to zhenxu_zj

‎06-20-2008 07:17 AM

Zhen

Sorry i didn't explain it properly. Even though you want a one to one mapping you are still dynamically allocating them as needed ie. until traffic passes through the router the NAT translation is not there and after a period of inactivity the translation is removed.

Jon

0 Helpful

Leo Gal
Level 1
Level 1
In response to Jon Marshall

‎09-04-2017 05:56 AM

Hello Jon and Zhenxu

 

I will revive this thread because I have similar if not the same problem. (policy NAT on IOS)

Inside LAN: 10.136.96.0/20

The inside LAN address should be NAT'd to 10.108.96.0/20 ONLY if the traffic is going to 10.203.208.0/24.

But I need it to work both ways.

I am able to make it work with sessions initiated in one direction (from 10.136.96.x to 10.203.208.y), but not both directions. ( 10.203.208.0/24 to 10.108.96.0/20 as well)

 

 

 

ip access-list extended NAT-A-B
 permit ip 10.136.96.0 0.0.15.255 10.203.208.0 0.0.0.255

route-map rm-nat permit 10
 match ip address NAT-A-B

ip nat pool net-x 10.108.96.0 10.108.111.255 prefix-length 20 type match-host

ip nat inside source route-map rm-nat pool net-x

 

I tried to do it with ACLs and it worked the same way(one way).

I tried to add ip nat inside destination with similar logic, but that caused the condition to be neglected

and all traffic from 10.136.96.0/20 ended up translated.

I tried to use reversible option on top of using route-map scenario, but that only creates general entry in the NAT table for specific entries created in the first step.

 

so e.g. if I do ping from SA:10.136.96.8 to DA:10.203.208.1, the router correctly translates it to SA:10.108.96.8 DA:10.203.208.1 and I am able to ping in the opposite direction - from 10.203.208.1 to 10.108.96.8.

But I can not initiate session from 10.203.208.1 to anything else than 10.108.96.8.

So "reversible" is not ment as remedy for this situation.

 

I do not have option "route-map" available in "ip nat static network A B /X"which would be the simpliest scenario if it was working.

 

please help on how to do this if possible.

Thank you

Leo

 

 

 

0 Helpful

CSCO12099251
Level 1
Level 1
In response to Leo Gal

‎09-05-2017 10:43 PM

Hi Leo,

The reverse ping from 10.203.208.1 to 10.108.96.8 was working because it was already presented in NAT translation table due to your initial ping (SA:10.136.96.8 to DA:10.203.208.1) hits the routemap and trigerred NAT.

The reason it was not pinging from 10.203.208.1 to anything else is that, there is no translation for other destination apart from 10.108.96.8 in NAT table so far.

 

Note: For dynamic NAT inside, the traffic should be initiated from inside to outside. Not from outside to inside.

0 Helpful

Leo Gal
Level 1
Level 1
In response to CSCO12099251

‎09-06-2017 12:08 AM

Thank you for your reply.
I probably wrote the question in a wrong way.
The question is how to do it, so I can initiate traffic from outside and
have the same behaviour.

Thank you
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card