Static NAT + route-map

Unanswered Question
Nov 28th, 2009

Hi, All!

Configuration:

interface FastEthernet0/0
  ip address 172.22.2.63 255.255.255.0
  ip nat outside
  ip virtual-reassembly
!
interface FastEthernet0/1
  ip address 172.22.4.63 255.255.255.0
  ip nat inside
  ip virtual-reassembly
!
!
ip nat inside source list nat_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable
!
ip access-list extended nat_acl
  permit ip host 172.22.4.64 host 172.22.2.60
!
!
route-map nat-rmap permit 10
  match ip address nat_acl

Goal:

I need to translate 172.22.4.64 to 172.22.2.63  only if 172.22.2.60 tries to communicate with 172.22.2.63.

Problem:

172.22.4.64 natted to 172.22.2.63 even if any of 172.22.2.x trying to connect to 172.22.2.63.

debug ip nat is not helpful, nat_acl logging too.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.4 (12 ratings)
Jon Marshall Sat, 11/28/2009 - 13:50

ekhabarov wrote:

Hi, All!

Configuration:

interface FastEthernet0/0
  ip address 172.22.2.63 255.255.255.0
  ip nat outside
  ip virtual-reassembly
!
interface FastEthernet0/1
  ip address 172.22.4.63 255.255.255.0
  ip nat inside
  ip virtual-reassembly
!
!
ip nat inside source list nat_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable
!
ip access-list extended nat_acl
  permit ip host 172.22.4.64 host 172.22.2.60
!
!
route-map nat-rmap permit 10
  match ip address nat_acl

Goal:

I need to translate 172.22.4.64 to 172.22.2.63  only if 172.22.2.60 tries to communicate with 172.22.2.63.

Problem:

172.22.4.64 natted to 172.22.2.63 even if any of 172.22.2.x trying to connect to 172.22.2.63.

debug ip nat is not helpful, nat_acl logging too.

Not really clear what you are trying to do.

You have 2 nat statements but they seem to trying to do the same thing ie. when 172.22.4.64 sends IP traffic to 172.22.2.60 NAT the source address to 172.22.2.63.

But you say you need to translate 172.22.4.64 to 172.22.2.63 only of 172.22.2.60 tries to communicate with 172.22.2.63. Not really clear what you want.

Can you explain

1) the original  src and destination IP addresses and the direction of traffic.

2) what you would like to NAT ie. src or dst or both and when you want to NAT it ie. what conditions.

Jon

Eugene Khabarov Sun, 11/29/2009 - 00:02

OK.

My example is not correct. Let me explain:

I need src nat for inside hosts (172.22.4.0/24, for example internet access for private network) and i also need dst nat for one outside host:

dst 172.22.2.63 -> 172.22.4.64

All other outside hosts should not initiate connections from outside.

i.e. my configuration:

!

ip nat inside source list inside_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable

ip access-list extended inside_acl
permit ip 172.22.4.0 0.0.0.255 any
!

ip access-list extended nat_acl
  permit ip host 172.22.4.64 host 172.22.2.60
!
route-map nat-rmap permit 10
  match ip address nat_acl

In real world expiriens not only 172.22.2.60 can initiate connections from outside. For example i can connect to 172.22.2.63 from 172.22.2.59 and it also will be dst nated to 172.22.4.64.

Another interesting observation:

route-map nat-rmap, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat_acl
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Nothing matches route-map.

Jon Marshall Mon, 11/30/2009 - 08:41

ekhabarov wrote:

OK.

My example is not correct. Let me explain:

I need src nat for inside hosts (172.22.4.0/24, for example internet access for private network) and i also need dst nat for one outside host:

dst 172.22.2.63 -> 172.22.4.64

All other outside hosts should not initiate connections from outside.

i.e. my configuration:

!

ip nat inside source list inside_acl interface FastEthernet0/0 overload
ip nat inside source static 172.22.4.64 172.22.2.63 route-map nat-rmap extendable

ip access-list extended inside_acl
permit ip 172.22.4.0 0.0.0.255 any
!

ip access-list extended nat_acl
  permit ip host 172.22.4.64 host 172.22.2.60
!
route-map nat-rmap permit 10
  match ip address nat_acl

In real world expiriens not only 172.22.2.60 can initiate connections from outside. For example i can connect to 172.22.2.63 from 172.22.2.59 and it also will be dst nated to 172.22.4.64.

Another interesting observation:

route-map nat-rmap, permit, sequence 10
  Match clauses:
    ip address (access-lists): nat_acl
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Nothing matches route-map.

Apologies for the delay in replying to this but i had to test it with dynamips.

Okay, firstly the problem with the route-map not matching is because you haven't applied it to an interface. However that isn't the solution.

The main problem is that a static NAT is bi-directional ie. it works whether connections are initiated from the inside or from the outside. So the closest i got was this

int fa0/0

ip address 172.22.4.63 255.255.255.0

ip nat inside

ip policy-route nat-rmap

int fa0/1

ip address 172.22.2.63 255.255.255.0

ip nat outside

ip access-list extended inside_acl

permit ip 172.22.4.0 0.0.0.255 any

ip access-list extended nat_acl

permit ip host 172.22.4.64 host 172.22.2.60

ip access-list extended deny_acl

permit ip host 172.22.4.64 any

route-map nat-rmap permit 10

match ip address nat_acl

route-map nat-rmap permit 20

match ip address deny_acl

set interface Null0

what the above does is

1) Only allows 172.22.2.60 to connect to 172.22.2.63 which then gets natted to 172.22.4.64. All other outside hosts cannot make a connection.

2) Allows all inside hosts (with the exception of 172.22.4.64) to make connections outbound and the source addresses get patted to 172.22.2.63

But

3) It allows 172.22.4.64 to make outbound connections to 172.22.2.60 but not to any other IP address which i'm guessing is not what you want.

So i took a different approach. Because the static NAT is bi-directional the only way i found  to control this properly is to use an acl on the outside interface and because of this there is no need for the route-map configuration ie.

int fa0/0

ip address 172.22.4.63 255.255.255.0

ip nat inside

int fa0/1

ip address 172.22.2.63 255.255.255.0

ip nat outside

ip nat inside source list all interface fa0/1 overload

ip nat inside source static 172.22.4.64 172.22.2.63

ip access-list extended all

permit 172.22.4.0 0.0.0.255 any

access-list 101 permit ip host 172.22.2.60 host 172.22.2.63

....

access-list 101 deny ip any host 172.22.2.63

in acl 101 above the .... represents acl entries that you need to include for any traffic that you want to allow to 172.22.2.63 ie. the 172.22.4.64 server inside. Key thing to note is that you will have to allow any return traffic from a connection initiated by 172.22.4.64 to the outside otherwise it will be dropped by acl 101.

If it's TCP you could obviously use the established keyword. Or you can use reflexive acls to allow TCP/UDP/ICMP.

That is the only way i could get this to work. There is a nagging thought that it should work with NAT and route-maps but i haven't managed to find a way as yet.

Jon

Jon Marshall Mon, 11/30/2009 - 09:06

Slight update to previous post

All traffic will be returning to 172.22.2.63 so the acl 101 i used in previous example just won't work.

So the only way would be to either use reflexive acls to allow the return traffic or IOS firewall.

Jon

Eugene Khabarov Mon, 11/30/2009 - 09:28

Very interesting, John. Thank you very much for your response.

>>

>>But

>>

>>3) It allows 172.22.4.64 to make outbound connections to 172.22.2.60 but not to any other IP address which i'm guessing is not what you want.

>>
This is perfectly suited to us. To be precise, 172.22.2.60 and 172.22.2.63 - is ipsec-peers.
But there is another very important requirement for such a configuration. It must allow, for example, to establish an ssh connection or GRE-tunnel to the router itself from the external network.

Marwan ALshawi Wed, 12/23/2009 - 04:00

ip nat pool pool1 172.22.2.60  172.22.2.60  prefix 24

ip nat inside source list inside_acl interface FastEthernet0/0 overload


ip nat inside source route-map nat-map pool pool1 extendable

!

ip access-list extended nat_acl

  permit ip host 172.22.4.64 host 172.22.2.60

!

!

route-map nat-rmap permit 10

  match ip address nat_acl

this will do it

and let me know

good luck

Eugene Khabarov Fri, 01/08/2010 - 06:13

So it was tested and this is completely not works. I can't connect to inside host (my outside connection is not dst-natted)

BTW:

R1(config)#ip nat inside source route-map nat-map pool pool1 extendable
                                                             ^
% Invalid input detected at '^' marker.

R1(config)#ip nat inside source route-map nat-map pool pool1 ?
  mapping-id  Associate a mapping id to this mapping
  overload    Overload an address translation
  reversible  Allow out->in traffic
  vrf         Specify vrf
 

R1#sh ver | i Soft
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
ROM: 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)

Marwan ALshawi Fri, 01/08/2010 - 15:27

by default when you use nat with route-map the entry extendable will be added which prevent an external user to open a reveres connection to inside

no one one to one entries will be available

to avoid this issue use the keyword command "reversible"  at the end of your nating configuration:

ip nat inside source route-map nat-map pool pool1  reversible

good luck

if helpful Rate

Actions

Login or Register to take actions

This Discussion

Posted November 28, 2009 at 1:07 PM
Stats:
Replies:10 Avg. Rating:4.38889
Views:5042 Votes:0
Shares:0

Related Content

Discussions Leaderboard