NAT Order of Operations Question...

Unanswered Question
Dec 8th, 2009

Greetings,

     I am having an issue with a NAT configuration on a Cisco IOS router, see below for a simplified configuration example:

ip nat pool Test-POOL 9.9.9.9 9.9.9.9 netmask 255.255.255.0

ip nat inside source route-map Test-MAP pool Test-POOL overload
ip nat inside source static 1.1.1.1 8.8.8.8

ip access-list extended Test-NAT-ACL-1

permit ip host 1.1.1.0 host 10.10.10.10

route-map Test-MAP permit 10
match ip address Test-NAT-ACL-1

     Traffic destined to 10.10.10.10 enters the inside interface of the router destined to a network residing through the outside interface of the router sourced with IP address 1.1.1.1.  The router ends up NAT'ing the source IP address to 8.8.8.8 instead of 9.9.9.9.

     Why does the router use the static NAT translation versus the dynamic NAT translation?  Will the router always take precedence on static definitions over dynamic definitions?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lrm001c474 Tue, 12/08/2009 - 11:21

Sorry, that was a type on my part.

Is is supposed to be 1.1.1.0 0.0.0.255.

Thanks.

pompeychimes Tue, 12/08/2009 - 11:31

Do this...

ip access-list extended NONAT
deny ip 1.1.1.0 0.0.0.255 host 10.10.10.10

permit ip any any

ip nat inside source static 1.1.1.1 8.8.8.8 route-map NONAT extendable

Jon Marshall Tue, 12/08/2009 - 11:27

lrm001c474 wrote:

Greetings,

     I am having an issue with a NAT configuration on a Cisco IOS router, see below for a simplified configuration example:

ip nat pool Test-POOL 9.9.9.9 9.9.9.9 netmask 255.255.255.0

ip nat inside source route-map Test-MAP pool Test-POOL overload
ip nat inside source static 1.1.1.1 8.8.8.8

ip access-list extended Test-NAT-ACL-1

permit ip host 1.1.1.0 host 10.10.10.10

route-map Test-MAP permit 10
match ip address Test-NAT-ACL-1

     Traffic destined to 10.10.10.10 enters the inside interface of the router destined to a network residing through the outside interface of the router sourced with IP address 1.1.1.1.  The router ends up NAT'ing the source IP address to 8.8.8.8 instead of 9.9.9.9.

     Why does the router use the static NAT translation versus the dynamic NAT translation?  Will the router always take precedence on static definitions over dynamic definitions?

Thanks.

Static NAT translations take precedence over dynamic NAT translatons. I suspect this is so you can use the same public IP address to statically map some port entries and then use the rest of the ports for PAT.

Jon

johnsos Sat, 06/05/2010 - 14:28

Where is the precedence order documented in the Cisco documentation?

belovell Sat, 06/05/2010 - 16:20

johnsos wrote:

Where is the precedence order documented in the Cisco documentation?

Closest thing I am aware of is..

http://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K10811491

Check number 8

When static and dynamic NAT are configured together, static NAT takes  precedence if a traffic flow matches both the configurations. Otherwise,  dynamic NAT is used to create a new entry in the table and translate  the traffic.

-Ben

johnsos Sat, 06/05/2010 - 19:02

This is what I was looking for.  If this is the only reference it makes it kind if hard for those newbies to learn in my opinion if they have to find the answers in TAC cases.  I guess you could consider TAC cases as documentation however during a CCIE test those expert knowledge tidbits are not available to you, so I hear.

johnsos Sat, 06/05/2010 - 19:14

This link is good because it does show when the router takes action on the NAT as opposed to an access-list etc. however it falls short in telling you  what order is used when the router has to determine the action to use when both a static and dynamic NAT entries are matched.

Actions

This Discussion