Route map in Nating

Unanswered Question
Feb 1st, 2009
User Badges:


<p>In all my Nat configuration, i use ACLs alone to create interested traffic as below:</p>

<p>access-list 100 permit ip any</p>

<p>ip nat inside source list 100 interface fa 0/0 overload</p>

<p>But, Cisco documents says / recommending to use route-map instead of only ACLs as below.</p>

<p>ip nat inside source route-map TEST interface fa 0/0 overload</p>

<p>I am surprised what is the difference. I know the advantages of using route-map. But in this case what is the significance</p>

<p>Can anybody throw light on this</p>


<p> </p>

<p> </p>

<p> </p>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paolo bevilacqua Sun, 02/01/2009 - 11:33
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member


some cisco documents guides you to the most simplified configuration, while others make examples of more complex config even to attain a same result.

In this case I really thinking there is no special meaning attached and as long you know what are the derivations of doing either way, you're fine.

pauloroque Sun, 02/01/2009 - 16:24
User Badges:

When you use route-map you always create a full translation or 'extendable". Take a look at

On other hand, if you use route-map, you can also match a interface or next-hop address. This is the case where you have two outside interfaces connected to two different providers and different IPs addresses to translate  to. Take a look at the following config:

 route-map NAT-SP1-MAP permit 10

 match ip address NAT-ACL

 match interface interface f0/3


route-map NAT-SP1-MAP permit 10

 match ip address NAT-ACL

 match interface f0/4

ip nat inside source route-map NAT-SP1-MAP interface f0/3 overload

ip nat inside source route-map NAT-SP2-MAP interface f0/4 overload

hclisschennai Sun, 02/01/2009 - 20:57
User Badges:


I am happy that you understood my exact requirement. In fact i have 2 ISPs and i am trying to do loadbalancing also.

My understanding is Routing takes place before Nating when the packet moves from inside to outside.

In this case when the traffic comes to Router, the Routing decision is already made (for example fa 0/3) and then the Nating is happening in that particular interface (ip nat outside command in fa0/3). Then why again i have to mention the command "match interface fa 0/3" in route-map command as you mention below

route-map NAT-SP1-MAP permit 10

match ip address NAT-ACL

match interface fa 0/3

can you please explain this behaviour


pauloroque Tue, 02/03/2009 - 16:09
User Badges:

Hi Kumar,

I think it is necessary for NAT/PAT, just because the translation table does not include the interfaces.

Just after deciding a NAT is needed for a given IP traffic (based on ip nat inside/outside commands), the router verifies whether or not a translation is in place for that traffic. If there is one, it will be used. If not, a new translation will be created.

Now suppose there is traffic from A to B going out int f0/3 using the default route. Then the default route and the output interface are changed to int f0/4. This causes the router to send the traffic out the new interface, but with the old translation (and the old IP address). Remember, the router will create a new translation only if there isn't one in place.

So I think if you create a NAT using an ACL and then the output int is changed, you will only create a new translation after the NAT timers expire, which can never occur se the user or server don't stop that traffic for enough amount of time.



This Discussion