×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Packets not hitting the route-map's NAT access-list

Unanswered Question
Jun 20th, 2012
User Badges:

Hi Everyone,


I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :


interface GigabitEthernet0/1.102

description "xxx"

encapsulation dot1Q 102

ip address 10.300.301.1 255.255.255.0

ip access-group xxx_ACL in

ip nat inside

ip virtual-reassembly


!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool ???_POOL ??

ip nat pool ???_POOL ??

ip nat pool ???_POOL ??

ip nat pool xxx_POOL ??

ip nat inside source route-map ??? pool ???_POOL overload

ip nat inside source route-map ??? pool ???_POOL overload

ip nat inside source route-map xxx pool xxx_POOL overload

ip nat inside source route-map ??? pool ???_POOL overload


!


!


ip access-list extended xxx-VPN

remark VPN to xxx

permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255

permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255

ip access-list extended xxx_ACL

deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255


permit ip any any

ip access-list extended xxx_NAT

deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255

deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255

permit ip 10.300.301.0 0.0.0.255 any






!

!

!

!

route-map ??? permit 10

match ip address ???_NAT


!

route-map xxx permit 10

match ip address xxx_NAT


!

route-map ??? permit 10

match ip address NAT_???


!

route-map ??? permit 10

match ip address ???_NAT


!

!


control-plane

!

!

banner motd ^C

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Wed, 06/20/2012 - 07:25
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.


So just a guess:


The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".



HTH, Karsten

yasaman64 Wed, 06/20/2012 - 07:42
User Badges:

Thank you sooo much Karsten, that was actually the issue, I wouldn't have think of it in a million years lol

Actions

This Discussion