NAT-Route map problem

Answered Question
Mar 10th, 2009
User Badges:

I am trying to create Mulit-homed poicy NAT using route-map.


I have one router. (3845)

On this router I have one interface I've configured for ip nat inside. (192.168.17.2 - my user segment)

I have 2 outside interfaces- one to my ISP and the other to an external company that I need to NAT to. (Present my 192.168.17.0/24 network to that company as 10.227.75.64/27 range)

I have created 2 route-maps to try to direct the way source devices should grab perspective NAT's from pools depending on which destination they need to get to. (Internet or company "a")

I think my problems is with my ACL 25 & 26.

Can someone help me define what my ACL's should be?


Any help would be greatly appreciated.




interface GigabitEthernet0/0----------------INTERFACE TO COMPANY "A"

description COMPANY A_ROUTER_6/14

ip address 10.227.4.114 255.255.255.252

ip nat outside

duplex full

speed 100

media-type rj45

*******************************


interface FastEthernet3/0.1540-----------------INTERFACE TO ISP

description VLAN 1540 TO INTERNET

encapsulation dot1Q 1540

ip address 65.47.180.242 255.255.255.252

ip nat outside

ip virtual-reassembly

no snmp trap link-status


*******************************


interface GigabitEthernet0/1--------------------USER NETWORK

description USER Network

ip address 192.168.17.2 255.255.255.0

ip nat inside

duplex full

speed 100

media-type rj45



*******************************


ip nat pool NAT-TO-COMPANY-A 10.227.75.72 10.227.75.94 netmask 255.255.255.224

ip nat pool NAT-TO-INTERNET 67.106.75.43 67.106.75.43 netmask 255.255.255.248

ip nat inside source route-map TO-A pool NAT-TO-COMPANY-A

ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload




access-list 25 permit 192.168.17.0 0.0.0.255

access-list 26 permit 192.168.17.0 0.0.0.255




route-map TO-INTERNET permit 10

match ip address 26

match interface FastEthernet3/0.1540

!

route-map TO-A permit 10

match ip address 25

match interface GigabitEthernet0/0


Correct Answer by Jon Marshall about 8 years 4 months ago

Your acl's and route-maps need modifying


change these to



accesss-list 101 permit ip 192.168.17.0 0.0.0.255


route-map TO-A permit 10

match ip address 101

set ip next-hop 10.227.4.113


access-list 102 deny ip 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.17.0 0.0.0.255 any


route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 65.47.180.241


Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 03/10/2009 - 12:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Your acl's and route-maps need modifying


change these to



accesss-list 101 permit ip 192.168.17.0 0.0.0.255


route-map TO-A permit 10

match ip address 101

set ip next-hop 10.227.4.113


access-list 102 deny ip 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.17.0 0.0.0.255 any


route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 65.47.180.241


Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.


Jon

mortonjes Tue, 03/10/2009 - 12:07
User Badges:

Thank you Jon. I really appreciated the feedback.


On a side note, I am running BGP with Company "A", will I have to account for the BGP protocol in my ACL 101? Or is ACL 101 strictly for defining the source traffic to be NAT'd?

Jon Marshall Tue, 03/10/2009 - 12:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"Or is ACL 101 strictly for defining the source traffic to be NAT'd?"


Exactly.


Jon


mortonjes Thu, 04/16/2009 - 17:21
User Badges:

I forgot to post this up...

With Jon's help, this is successfully working.....


I thought I'd share. It works and is in production! I'm only posting the relevant parts of the config. (keep in mind that the interfaces need to be configured for NAT inside/outside depending on your situation.)

The IP's in this example are made up.....


Enjoy!


ip nat pool NAT-TO-COMPANYX 10.111.75.72 10.111.75.94 netmask 255.255.255.224

ip nat pool NAT-TO-INTERNET 69.10.7.43 69.10.7.43 netmask 255.255.255.248

ip nat inside source route-map TO-COMPANYX pool NAT-TO-COMPANYX

ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload


route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 56.33.30.21

!

route-map TO-COMPANYX permit 10

match ip address 101

set ip next-hop 10.3.4.1


access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x 0.255.255.255

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 permit ip 192.168.17.0 0.0.0.255 any {permit everything else out towards the internet}


This configuration sets up policy NAT'ing so that you can NAT towards two different sites be it 2 ISP's or 1 ISP and 1 private company ect..


Remember I just plopped in numbers for IP Addresses above. Some may not even fit in the bit boundry listed. I just picked any old numbers.


Marwan ALshawi Fri, 04/17/2009 - 06:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi jon

have you got the nating and policy-routing the traffic in one command worked with you

i mean as above you match traffic and send it to a next hop and apply the route-map to the nat command !!!


i never get it working dont know why


only why i get it working

is i apply the policy routing route-map to the incoming interface to policy the route and set the next hop after that the nat will dose the nating


any idea !!

mortonjes Fri, 04/17/2009 - 08:25
User Badges:

I'm not sure if I understand you but regarding my route-map pointing to my "nat command"

All my nat statement is saying is if traffic is coming from an inside source (Interface) then apply the route-map assigned to the nat statement.

Once traffic hits the proper route-map, the route-map defines what ACL the traffic should compare against.

The ACL in turn defines what traffice is allowed to nat into it's proper pool.

The next hop statement in the rout-map points the traffic out the proper interface.


Hope this helps.

Actions

This Discussion