03-10-2009 11:55 AM - edited 03-06-2019 04:30 AM
I am trying to create Mulit-homed poicy NAT using route-map.
I have one router. (3845)
On this router I have one interface I've configured for ip nat inside. (192.168.17.2 - my user segment)
I have 2 outside interfaces- one to my ISP and the other to an external company that I need to NAT to. (Present my 192.168.17.0/24 network to that company as 10.227.75.64/27 range)
I have created 2 route-maps to try to direct the way source devices should grab perspective NAT's from pools depending on which destination they need to get to. (Internet or company "a")
I think my problems is with my ACL 25 & 26.
Can someone help me define what my ACL's should be?
Any help would be greatly appreciated.
interface GigabitEthernet0/0----------------INTERFACE TO COMPANY "A"
description COMPANY A_ROUTER_6/14
ip address 10.227.4.114 255.255.255.252
ip nat outside
duplex full
speed 100
media-type rj45
*******************************
interface FastEthernet3/0.1540-----------------INTERFACE TO ISP
description VLAN 1540 TO INTERNET
encapsulation dot1Q 1540
ip address 65.47.180.242 255.255.255.252
ip nat outside
ip virtual-reassembly
no snmp trap link-status
*******************************
interface GigabitEthernet0/1--------------------USER NETWORK
description USER Network
ip address 192.168.17.2 255.255.255.0
ip nat inside
duplex full
speed 100
media-type rj45
*******************************
ip nat pool NAT-TO-COMPANY-A 10.227.75.72 10.227.75.94 netmask 255.255.255.224
ip nat pool NAT-TO-INTERNET 67.106.75.43 67.106.75.43 netmask 255.255.255.248
ip nat inside source route-map TO-A pool NAT-TO-COMPANY-A
ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload
access-list 25 permit 192.168.17.0 0.0.0.255
access-list 26 permit 192.168.17.0 0.0.0.255
route-map TO-INTERNET permit 10
match ip address 26
match interface FastEthernet3/0.1540
!
route-map TO-A permit 10
match ip address 25
match interface GigabitEthernet0/0
Solved! Go to Solution.
03-10-2009 12:04 PM
Your acl's and route-maps need modifying
change these to
accesss-list 101 permit ip 192.168.17.0 0.0.0.255
route-map TO-A permit 10
match ip address 101
set ip next-hop 10.227.4.113
access-list 102 deny ip 192.168.17.0 0.0.0.255
access-list 102 permit ip 192.168.17.0 0.0.0.255 any
route-map TO-INTERNET permit 10
match ip address 102
set ip next-hop 65.47.180.241
Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.
Jon
03-10-2009 12:04 PM
Your acl's and route-maps need modifying
change these to
accesss-list 101 permit ip 192.168.17.0 0.0.0.255
route-map TO-A permit 10
match ip address 101
set ip next-hop 10.227.4.113
access-list 102 deny ip 192.168.17.0 0.0.0.255
access-list 102 permit ip 192.168.17.0 0.0.0.255 any
route-map TO-INTERNET permit 10
match ip address 102
set ip next-hop 65.47.180.241
Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.
Jon
03-10-2009 12:07 PM
Thank you Jon. I really appreciated the feedback.
On a side note, I am running BGP with Company "A", will I have to account for the BGP protocol in my ACL 101? Or is ACL 101 strictly for defining the source traffic to be NAT'd?
03-10-2009 12:11 PM
"Or is ACL 101 strictly for defining the source traffic to be NAT'd?"
Exactly.
Jon
03-10-2009 12:12 PM
Thank you sir
04-16-2009 05:21 PM
I forgot to post this up...
With Jon's help, this is successfully working.....
I thought I'd share. It works and is in production! I'm only posting the relevant parts of the config. (keep in mind that the interfaces need to be configured for NAT inside/outside depending on your situation.)
The IP's in this example are made up.....
Enjoy!
ip nat pool NAT-TO-COMPANYX 10.111.75.72 10.111.75.94 netmask 255.255.255.224
ip nat pool NAT-TO-INTERNET 69.10.7.43 69.10.7.43 netmask 255.255.255.248
ip nat inside source route-map TO-COMPANYX pool NAT-TO-COMPANYX
ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload
route-map TO-INTERNET permit 10
match ip address 102
set ip next-hop 56.33.30.21
!
route-map TO-COMPANYX permit 10
match ip address 101
set ip next-hop 10.3.4.1
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}
access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x 0.255.255.255
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}
access-list 102 permit ip 192.168.17.0 0.0.0.255 any {permit everything else out towards the internet}
This configuration sets up policy NAT'ing so that you can NAT towards two different sites be it 2 ISP's or 1 ISP and 1 private company ect..
Remember I just plopped in numbers for IP Addresses above. Some may not even fit in the bit boundry listed. I just picked any old numbers.
04-17-2009 06:00 AM
hi jon
have you got the nating and policy-routing the traffic in one command worked with you
i mean as above you match traffic and send it to a next hop and apply the route-map to the nat command !!!
i never get it working dont know why
only why i get it working
is i apply the policy routing route-map to the incoming interface to policy the route and set the next hop after that the nat will dose the nating
any idea !!
04-17-2009 08:25 AM
I'm not sure if I understand you but regarding my route-map pointing to my "nat command"
All my nat statement is saying is if traffic is coming from an inside source (Interface) then apply the route-map assigned to the nat statement.
Once traffic hits the proper route-map, the route-map defines what ACL the traffic should compare against.
The ACL in turn defines what traffice is allowed to nat into it's proper pool.
The next hop statement in the rout-map points the traffic out the proper interface.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: