cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
7
Replies

NAT-Route map problem

mortonjes
Level 1
Level 1

I am trying to create Mulit-homed poicy NAT using route-map.

I have one router. (3845)

On this router I have one interface I've configured for ip nat inside. (192.168.17.2 - my user segment)

I have 2 outside interfaces- one to my ISP and the other to an external company that I need to NAT to. (Present my 192.168.17.0/24 network to that company as 10.227.75.64/27 range)

I have created 2 route-maps to try to direct the way source devices should grab perspective NAT's from pools depending on which destination they need to get to. (Internet or company "a")

I think my problems is with my ACL 25 & 26.

Can someone help me define what my ACL's should be?

Any help would be greatly appreciated.

interface GigabitEthernet0/0----------------INTERFACE TO COMPANY "A"

description COMPANY A_ROUTER_6/14

ip address 10.227.4.114 255.255.255.252

ip nat outside

duplex full

speed 100

media-type rj45

*******************************

interface FastEthernet3/0.1540-----------------INTERFACE TO ISP

description VLAN 1540 TO INTERNET

encapsulation dot1Q 1540

ip address 65.47.180.242 255.255.255.252

ip nat outside

ip virtual-reassembly

no snmp trap link-status

*******************************

interface GigabitEthernet0/1--------------------USER NETWORK

description USER Network

ip address 192.168.17.2 255.255.255.0

ip nat inside

duplex full

speed 100

media-type rj45

*******************************

ip nat pool NAT-TO-COMPANY-A 10.227.75.72 10.227.75.94 netmask 255.255.255.224

ip nat pool NAT-TO-INTERNET 67.106.75.43 67.106.75.43 netmask 255.255.255.248

ip nat inside source route-map TO-A pool NAT-TO-COMPANY-A

ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload

access-list 25 permit 192.168.17.0 0.0.0.255

access-list 26 permit 192.168.17.0 0.0.0.255

route-map TO-INTERNET permit 10

match ip address 26

match interface FastEthernet3/0.1540

!

route-map TO-A permit 10

match ip address 25

match interface GigabitEthernet0/0

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Your acl's and route-maps need modifying

change these to

accesss-list 101 permit ip 192.168.17.0 0.0.0.255

route-map TO-A permit 10

match ip address 101

set ip next-hop 10.227.4.113

access-list 102 deny ip 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.17.0 0.0.0.255 any

route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 65.47.180.241

Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Your acl's and route-maps need modifying

change these to

accesss-list 101 permit ip 192.168.17.0 0.0.0.255

route-map TO-A permit 10

match ip address 101

set ip next-hop 10.227.4.113

access-list 102 deny ip 192.168.17.0 0.0.0.255

access-list 102 permit ip 192.168.17.0 0.0.0.255 any

route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 65.47.180.241

Note i have assumed the next-hops in the route-maps based on the IP addresses and subnet masks under your router interfaces.

Jon

Thank you Jon. I really appreciated the feedback.

On a side note, I am running BGP with Company "A", will I have to account for the BGP protocol in my ACL 101? Or is ACL 101 strictly for defining the source traffic to be NAT'd?

"Or is ACL 101 strictly for defining the source traffic to be NAT'd?"

Exactly.

Jon

Thank you sir

I forgot to post this up...

With Jon's help, this is successfully working.....

I thought I'd share. It works and is in production! I'm only posting the relevant parts of the config. (keep in mind that the interfaces need to be configured for NAT inside/outside depending on your situation.)

The IP's in this example are made up.....

Enjoy!

ip nat pool NAT-TO-COMPANYX 10.111.75.72 10.111.75.94 netmask 255.255.255.224

ip nat pool NAT-TO-INTERNET 69.10.7.43 69.10.7.43 netmask 255.255.255.248

ip nat inside source route-map TO-COMPANYX pool NAT-TO-COMPANYX

ip nat inside source route-map TO-INTERNET pool NAT-TO-INTERNET overload

route-map TO-INTERNET permit 10

match ip address 102

set ip next-hop 56.33.30.21

!

route-map TO-COMPANYX permit 10

match ip address 101

set ip next-hop 10.3.4.1

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x network you need to hit}

access-list 101 permit ip 192.168.17.0 0.0.0.255 {company x 0.255.255.255

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 deny ip 192.168.17.0 0.0.0.255 {company x network from acl 101 above}

access-list 102 permit ip 192.168.17.0 0.0.0.255 any {permit everything else out towards the internet}

This configuration sets up policy NAT'ing so that you can NAT towards two different sites be it 2 ISP's or 1 ISP and 1 private company ect..

Remember I just plopped in numbers for IP Addresses above. Some may not even fit in the bit boundry listed. I just picked any old numbers.

hi jon

have you got the nating and policy-routing the traffic in one command worked with you

i mean as above you match traffic and send it to a next hop and apply the route-map to the nat command !!!

i never get it working dont know why

only why i get it working

is i apply the policy routing route-map to the incoming interface to policy the route and set the next hop after that the nat will dose the nating

any idea !!

I'm not sure if I understand you but regarding my route-map pointing to my "nat command"

All my nat statement is saying is if traffic is coming from an inside source (Interface) then apply the route-map assigned to the nat statement.

Once traffic hits the proper route-map, the route-map defines what ACL the traffic should compare against.

The ACL in turn defines what traffice is allowed to nat into it's proper pool.

The next hop statement in the rout-map points the traffic out the proper interface.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco