Route map in Nating

Unanswered Question
Feb 1st, 2009

<p>Hi,</p>

<p>In all my Nat configuration, i use ACLs alone to create interested traffic as below:</p>

<p>access-list 100 permit ip 10.1.1.0 0.0.255.255 any</p>

<p>ip nat inside source list 100 interface fa 0/0 overload</p>

<p>But, Cisco documents says / recommending to use route-map instead of only ACLs as below.</p>

<p>ip nat inside source route-map TEST interface fa 0/0 overload</p>

<p>I am surprised what is the difference. I know the advantages of using route-map. But in this case what is the significance</p>

<p>Can anybody throw light on this</p>

<p>R.B.Kumar</p>

<p> </p>

<p> </p>

<p> </p>

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Sun, 02/01/2009 - 11:33

Hi,

some cisco documents guides you to the most simplified configuration, while others make examples of more complex config even to attain a same result.

In this case I really thinking there is no special meaning attached and as long you know what are the derivations of doing either way, you're fine.

pauloroque Sun, 02/01/2009 - 16:24

When you use route-map you always create a full translation or 'extendable". Take a look at http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9_ps6640_Products_White_Paper.html.

On other hand, if you use route-map, you can also match a interface or next-hop address. This is the case where you have two outside interfaces connected to two different providers and different IPs addresses to translate  to. Take a look at the following config:

 route-map NAT-SP1-MAP permit 10

 match ip address NAT-ACL

 match interface interface f0/3

!

route-map NAT-SP1-MAP permit 10

 match ip address NAT-ACL

 match interface f0/4


ip nat inside source route-map NAT-SP1-MAP interface f0/3 overload

ip nat inside source route-map NAT-SP2-MAP interface f0/4 overload

hclisschennai Sun, 02/01/2009 - 20:57

Hi,

I am happy that you understood my exact requirement. In fact i have 2 ISPs and i am trying to do loadbalancing also.

My understanding is Routing takes place before Nating when the packet moves from inside to outside.

In this case when the traffic comes to Router, the Routing decision is already made (for example fa 0/3) and then the Nating is happening in that particular interface (ip nat outside command in fa0/3). Then why again i have to mention the command "match interface fa 0/3" in route-map command as you mention below

route-map NAT-SP1-MAP permit 10

match ip address NAT-ACL

match interface fa 0/3

can you please explain this behaviour

R.B.Kumar

pauloroque Tue, 02/03/2009 - 16:09

Hi Kumar,

I think it is necessary for NAT/PAT, just because the translation table does not include the interfaces.

Just after deciding a NAT is needed for a given IP traffic (based on ip nat inside/outside commands), the router verifies whether or not a translation is in place for that traffic. If there is one, it will be used. If not, a new translation will be created.

Now suppose there is traffic from A to B going out int f0/3 using the default route. Then the default route and the output interface are changed to int f0/4. This causes the router to send the traffic out the new interface, but with the old translation (and the old IP address). Remember, the router will create a new translation only if there isn't one in place.

So I think if you create a NAT using an ACL and then the output int is changed, you will only create a new translation after the NAT timers expire, which can never occur se the user or server don't stop that traffic for enough amount of time.

PRoque

Actions

This Discussion