Solved: Policy Static NAT on ASR

N3t W0rK3r · ‎07-22-2010

I am trying to configure a policy-based static nat using route-maps on my ASR-1002 (Version 12.2(33)XNE) and I'm having a problem doing so.

I am finding that traffic flowing inside to outside is NATing properly, but connections initiated outside to inside, are not getting NAT'd. Looking at the translation table, no static entries exist for this configuration, but dynamic ones get created for the inside-to-outside flows.

The relevant parts of my config are shown below:

ip access-list extended NEOD-ROUTE-MAP-ACL
permit ip 10.10.70.0 0.0.0.255 138.218.232.128 0.0.0.63
permit ip 10.10.70.0 0.0.0.255 138.218.232.192 0.0.0.63

route-map NEOD-ROUTE-MAP permit 10
match ip address NEOD-ROUTE-MAP-ACL

ip nat inside source static 10.10.70.42 138.218.235.100 route-map NEOD-ROUTE-MAP

ip nat inside source static 10.10.70.20 138.218.235.101 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.21 138.218.235.102 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.36 138.218.235.103 route-map NEOD-ROUTE-MAP
ip nat inside source static 10.10.70.51 138.218.235.104 route-map NEOD-ROUTE-MAP

interface GigabitEthernet0/0/1
description INTERNAL NETWORK
ip address 10.10.223.5 255.255.255.0
ip access-group WAN-TO-LAN out
ip nat inside
ip virtual-reassembly
negotiation auto
cdp enable
end

interface GigabitEthernet0/0/3
description NEOD
ip address 138.218.251.66 255.255.255.248
ip nat outside
ip virtual-reassembly
no negotiation auto
crypto map NEOD-MAP
end

Manish Naik · ‎08-12-2010

John,

Please check this bug CSCth55652, This feature is not supported on ASR as of now. Most likely will be supported in the next CCO release for ASR. This bug tracks the feature request for the same. Route-map on static Nat Doesnt work the same on ASR as it does on other router platforms, eg 3800 or 7200.

View solution in original post

syed.raza · ‎07-29-2010

try this and you will find your way

ip nat inside source static tcp 10.10.70.42 8080 138.218.235.100 80

what it will do is that any packet coming on at the public ip on port 80 will be redirected to private ip on port 8080.

let me know if this helps.

Regards,

Syed

Marwan ALshawi · ‎07-29-2010

i think your issue because of the following:

when you use route-map with NAT extendable entry will be created by default which prevent outside connection from being intiated to inside

because there will be no one-one maping in the translation table

using reversible nat will make one-one entry with reversable NATing use the caoomd bellow at the end of you nating caomands

ip nat inside source static 10.10.70.42 138.218.235.100 route-map NEOD-ROUTE-MAP reversable

good luck

if helpful Rate

N3t W0rK3r · ‎08-12-2010

Thanks for your replies. It does not appear that "reversible" is an available option in my IOS version on this ASR. Not sure if there even is a version that supports this.

Anyone have any other ideas?

Thanks in advance.

John

Manish Naik · ‎08-12-2010

John,

Please check this bug CSCth55652, This feature is not supported on ASR as of now. Most likely will be supported in the next CCO release for ASR. This bug tracks the feature request for the same. Route-map on static Nat Doesnt work the same on ASR as it does on other router platforms, eg 3800 or 7200.

N3t W0rK3r · ‎08-12-2010

Thank you thank you thank you!

John

Miroslav Skyto · ‎01-24-2014

Hi,

according to the cisco, you can find more info in Bug toolkit :

https://tools.cisco.com/bugsearch/bug/CSCth55652

Anyway, upgrading the ASR for releas 15.0(1)S / 15.1(1)S and above should resolve your issues. We've had the same issue and we are aiming for Release 3.7.4S ED as this seems to be stable enough and should be able to resolve this issue.