10-27-2011 08:37 AM - edited 03-07-2019 03:05 AM
I'm using a route-map with a static NAT so the static NAT will be used only when the computer and a specific destination subnet try to communicate in both directions. The problem is that when the computer initiates communication with the destination subnet, the NAT overload is used. When the destination subnet initiates communication with the computer, the static NAT is used. I want the static NAT used in both directions. Here is the relevant part of the config:
ip nat pool VPNSomerset_NAT-pool 172.18.189.254 172.18.189.254 netmask 255.255.255.0
ip nat inside source route-map VPNSomerset_NAT pool VPNSomerset_NAT-pool overload
ip nat inside source static 10.20.130.210 172.18.189.247 route-map all_10-18
ip access-list extended VPNSomerset_NAT-ACL
permit ip 10.20.20.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.20.0 0.0.0.255 10.61.0.0 0.0.255.255
permit ip 10.20.40.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.110.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.120.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.130.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.30.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.50.0 0.0.0.255 10.18.0.0 0.0.0.255
ip access-list extended all_10-18_NAT-ACL
permit ip any 10.18.0.0 0.0.0.255
route-map all_10-18 permit 10
match ip address all_10-18_NAT-ACL
route-map VPNSomerset_NAT permit 10
match ip address VPNSomerset_NAT-ACL
10-27-2011 08:56 AM
Modify your ACL as followed:
ip access-list extended VPNSomerset_NAT-ACL
deny ip host 10.20.130.210 10.18.0.0 0.0.0.255
permit ip 10.20.20.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.20.0 0.0.0.255 10.61.0.0 0.0.255.255
permit ip 10.20.40.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.110.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.120.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.130.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.30.0 0.0.0.255 10.18.0.0 0.0.0.255
permit ip 10.20.50.0 0.0.0.255 10.18.0.0 0.0.0.255
11-04-2011 07:52 AM
So the overload NAT will take precedence over any static NAT? Is there anything I can do to change that precedence?
01-09-2012 10:53 AM
I fixed it by using a route-map at the end of a static NAT statement.
Please mark this post as answered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide