Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
3
Replies

Static NAT with route-map and NAT overload conflict

jasonww04
Level 1
Level 1

‎10-27-2011 08:37 AM - edited ‎03-07-2019 03:05 AM

I'm using a route-map with a static NAT so the static NAT will be used only when the computer and a specific destination subnet try to communicate in both directions. The problem is that when the computer initiates communication with the destination subnet, the NAT overload is used. When the destination subnet initiates communication with the computer, the static NAT is used. I want the static NAT used in both directions. Here is the relevant part of the config:

ip nat pool VPNSomerset_NAT-pool 172.18.189.254 172.18.189.254 netmask 255.255.255.0

ip nat inside source route-map VPNSomerset_NAT pool VPNSomerset_NAT-pool overload

ip nat inside source static 10.20.130.210 172.18.189.247 route-map all_10-18

ip access-list extended VPNSomerset_NAT-ACL

permit ip 10.20.20.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.20.0 0.0.0.255 10.61.0.0 0.0.255.255

permit ip 10.20.40.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.110.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.120.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.130.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.30.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.50.0 0.0.0.255 10.18.0.0 0.0.0.255

ip access-list extended all_10-18_NAT-ACL

permit ip any 10.18.0.0 0.0.0.255

route-map all_10-18 permit 10

match ip address all_10-18_NAT-ACL

route-map VPNSomerset_NAT permit 10

match ip address VPNSomerset_NAT-ACL

Labels:
0 Helpful
3 Replies 3

Edison Ortiz
Hall of Fame
Hall of Fame

‎10-27-2011 08:56 AM

Modify your ACL as followed:

ip access-list extended VPNSomerset_NAT-ACL

deny ip host 10.20.130.210 10.18.0.0 0.0.0.255

permit ip 10.20.20.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.20.0 0.0.0.255 10.61.0.0 0.0.255.255

permit ip 10.20.40.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.110.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.120.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.130.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.30.0 0.0.0.255 10.18.0.0 0.0.0.255

permit ip 10.20.50.0 0.0.0.255 10.18.0.0 0.0.0.255

0 Helpful

jasonww04
Level 1
Level 1
In response to Edison Ortiz

‎11-04-2011 07:52 AM

So the overload NAT will take precedence over any static NAT? Is there anything I can do to change that precedence?

0 Helpful

jasonww04
Level 1
Level 1
In response to jasonww04

‎01-09-2012 10:53 AM

I fixed it by using a route-map at the end of a static NAT statement.

Please mark this post as answered.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card