Policy Static NAT on ASR

Answered Question
Jul 22nd, 2010
User Badges:

I am trying to configure a policy-based static nat using route-maps on my ASR-1002 (Version 12.2(33)XNE) and I'm having a problem doing so.


I am finding that traffic flowing inside to outside is NATing properly, but connections initiated outside to inside, are not getting NAT'd.  Looking at the translation table, no static entries exist for this configuration, but dynamic ones get created for the inside-to-outside flows.


The relevant parts of my config are shown below:


ip access-list extended NEOD-ROUTE-MAP-ACL
permit ip 10.10.70.0 0.0.0.255 138.218.232.128 0.0.0.63
permit ip 10.10.70.0 0.0.0.255 138.218.232.192 0.0.0.63


route-map NEOD-ROUTE-MAP permit 10
match ip address NEOD-ROUTE-MAP-ACL


ip nat inside source static 10.10.70.42 138.218.235.100 route-map NEOD-ROUTE-MAP

ip nat inside source static 10.10.70.20 138.218.235.101 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.21 138.218.235.102 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.36 138.218.235.103 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.51 138.218.235.104 route-map NEOD-ROUTE-MAP


interface GigabitEthernet0/0/1
description INTERNAL NETWORK
ip address 10.10.223.5 255.255.255.0
ip access-group WAN-TO-LAN out
ip nat inside
ip virtual-reassembly
negotiation auto
cdp enable
end


interface GigabitEthernet0/0/3
description NEOD
ip address 138.218.251.66 255.255.255.248
ip nat outside
ip virtual-reassembly
no negotiation auto
crypto map NEOD-MAP
end

Correct Answer by Manish Naik about 6 years 10 months ago

John,

           Please check this bug CSCth55652, This feature is not supported on ASR as of now. Most likely will be supported in the next CCO release for ASR. This bug tracks the feature request for the same. Route-map on static Nat Doesnt work the same on ASR as it does on other router platforms, eg 3800 or 7200. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Marwan ALshawi Thu, 07/29/2010 - 19:56
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i think your issue because of the following:


when you use route-map with NAT extendable entry will be created by default which prevent outside connection from being intiated to inside

because there will be no one-one maping in the translation table


using reversible nat will make one-one entry with reversable NATing use the caoomd bellow at the end of you nating caomands


ip nat inside source static 10.10.70.42 138.218.235.100 route-map NEOD-ROUTE-MAP reversable


good luck

if helpful Rate

John Rumball Thu, 08/12/2010 - 09:15
User Badges:

Thanks for your replies.  It does not appear that "reversible" is an available option in my IOS version on this ASR.  Not sure if there even is a version that supports this.


Anyone have any other ideas?


Thanks in advance.


John

Correct Answer
Manish Naik Thu, 08/12/2010 - 10:15
User Badges:

John,

           Please check this bug CSCth55652, This feature is not supported on ASR as of now. Most likely will be supported in the next CCO release for ASR. This bug tracks the feature request for the same. Route-map on static Nat Doesnt work the same on ASR as it does on other router platforms, eg 3800 or 7200. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Miroslav Skyto Fri, 01/24/2014 - 07:40
User Badges:

Hi,


according to the cisco, you can find more info in Bug toolkit :


https://tools.cisco.com/bugsearch/bug/CSCth55652


Anyway, upgrading the ASR for releas 15.0(1)S / 15.1(1)S and above should resolve your issues. We've had the same issue and we are aiming for Release 3.7.4S ED as this seems to be stable enough and should be able to resolve this issue.

Actions

This Discussion