cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2793
Views
0
Helpful
4
Replies

Static and dynamic NAT

Thomas Schmitt
Level 1
Level 1
Hello

I have a problem with the rule that static NAT has higher priority then dynamic NAT, to be exactly that this rule doesn't work. I will explain it on example: I have LAN 10.10.10.0 /24 (LAN1), that will be dynamically NAT'ed to 20.20.20.1. There is also some Server with IP address 10.10.10.3 (local) and 20.20.20.3 (global). The second LAN (LAN2) has the network address 192.168.1.0 and the traffic between LAN1 and LAN2 should not be NAT'ed.StaticNATvpn.png

Now I write on R3:
! dynamic NAT list, NAT allways to 20.20.20.1 except for 192.168.1.0 /24 Network
access-list 122 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 10.10.10.0 0.0.0.255 any
! static NAT list: NAT allways to 20.20.20.3, except for LAN2
access-list 150 deny   ip host 10.10.10.3 192.168.1.0 0.0.0.255
access-list 150 permit ip host 10.10.10.3 any
ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static 10.10.10.3 20.20.20.3 route-map nonat
route-map nonat permit 10
match ip address 150
!
But without the line
access-list 122 deny ip host 10.10.10.3 any

whole traffic from 10.10.10.3 will be NAT'ed to 20.20.20.1 and not to 20.20.20.3!

How is it possible? Static NAT will be done first, and if the address 20.20.20.3 is already set (and it is set, because with the line "access-list 122 deny ip host 10.10.10.3 any" it works fine), why it will be NAT'ed again to 20.20.20.1?

thx

4 Replies 4

Haider A.Hani
Level 1
Level 1

hi mate

i think that the rule of your access list 150 is wrong.

if you want to make the traffic get into your lan 1 network so it should be in reverse.

that waht you wrote

access-list 150 deny   ip host 10.10.10.3 192.168.1.0 0.0.0.255
access-list 150 permit ip host 10.10.10.3 any

this is how it should be

access-list 150 deny   ip 192.168.1.0 0.0.0.255 host 10.10.10.3
access-list 150 permit any host 10.10.10.3

note: just check the formula cuz i use to ? mark

i hope this is helpful for you

Hi,

I see the situation that you're having and I agree with you that the static NAT should take precedence.

I'm thinking that the problem might be that you have a conditional static NAT (not a plain static NAT), and since both NAT rules depend on ACLs, the traffic from the server is actually checked against both rules. This is way if you deny the server from the dynamic rule then it works fine.

I know for a fact that static NAT takes precedence over dynamic NAT on ASAs, but even though it should be the same on routers, I believe routers have more problems with NAT.

As a test can you take out the condition (route-map) to the static NAT and see if it takes precedence?

I understand this is not the way you need it, but just to confirm the priority of the static NAT over dynamic.

I will try to lab this and let you know if the same thing happen to me.

Federico.

You are right - the Router shows this behavior only with route-map, not with "plain" static NAT.

Is it now a bug, or works it as intended? Or may be the way I did it was not the correct one?

 

- We can configure a Dynamic NAT for only one public IP address and it will be the same as a static NAT but it won't allow traffic flow from Outside to Inside.

 

- Static NAT does takes place before the PAT and Dynamic NAT.

 

- This is how generally NAT precedence is taken:

 

  1. Static NAT without Route-maps

 

  1. Dynamic NAT without Route-maps

 

  1. Nat with route-maps is chosen based on "Alphabetical" order (Dynamic Or static NAT)

 

In cases where static & dynamic NAT have same local address space (say 10.0.0.0/8) - For NAT configurations which don't use route-maps, static NAT takes precedence over dynamic.

 

However, when route-maps are used with NAT (for e.g. say to match on interface), dynamic NAT takes precedence over static NAT.

 

So the overall precedence will look like:

 

  1. Static NAT without Route-maps

 

  1. Dynamic NAT without Route-maps

 

  1. Dynamic NAT with Route-maps

 

  1. Static NAT with Route-maps

 

Conditions:

 

In cases where static & dynamic NAT have same local address space (say 10.0.0.0/8) AND When route-maps are used for both static NAT and Dynamic NAT configurations.

Workaround:

 

Either don't use route-maps with Static configs (see order above) Or put deny statements in route-map of dynamic NAT to explicitly deny static local address

 

The behavior is as follows. When a static-route-map is created we create a NAT mapping internally. Similarly when the dynamic-nat Mapping is created we create a NAT Mapping. These NAT mappings are sorted internally and in case of route-maps, the route-map name is used to lexographically sort it.

 

Thereby either the NAT mapping associated with the static-route-map can be before the NAT mapping associated with the dynamic-NAT mapping OR vice-versa, and this order is determined by the lexographical sorting of the route-map names.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: