- Bronze, 100 points or more
This is ios 12.2. I'm attempting to discern if these two NAT statements conflict.
One appears to be a PAT and the other a one-to-one NAT for the same inside host. If that is true, would this function correctly?
The public .234 is the router interface and the public .235 is part of the outside range, but again the same inside host is used. Since the second statement looks like a one-to-one nat, then the route-map is just adding the NAT Exemption onto it?
ip nat inside source static tcp 192.168.1.18 3389 24.x.y.234 3389 extendable
ip nat inside source static 192.168.1.18 24.x.y.235 route-map static-sec extendable
route-map static-sec permit 10
match ip address 100
match interface Ethernet1/0
access-list 100 deny ip host 192.168.1.18 host 172.16.1.4
access-list 100 deny ip host 192.168.1.18 host 172.16.1.3
access-list 100 deny ip host 192.168.1.18 host 172.16.1.2
access-list 100 deny ip host 192.168.1.18 host 172.16.1.1
access-list 100 permit ip host 192.168.1.18 any
Can someone clear me up on this? Thanks.
As Peter sed, this configuration behave this way:
packet going from 192.168.1.18 out e1/0:
1. if there is tcp packet from 192.168.1.18 with source port 3389 will automaticly be translated to source address 24.x.y.234.
2. packet from 192.168.1.18 with any IP protocol and any other port it will be translated to24.x.y.235 (except packet to destination 172.16.1.4, 172.16.1.3, 172.16.1.2 or 172.16.1.1)
3. other packets will not be translated
Packet comming from e1/0:
1. tcp packet to 24.x.y.234 with destination port 3389it will automaticly be translated to destination address 192.168.1.18
2. any other packet to 24.x.y.234 (not tcp destination port 3389) will be received by router
3. any packet going to 24.x.y.235 will be translated to destination address 192.168.1.18 (intereting think is that even packets from source 172.16.1.4 to destination 24.x.y.235 will aso will be translated (tested on
IOS Version 12.4(16a)) )
In my personal opinion, these two statements should not conflict.
The first statement establishes a static translation entry in the NAT table with the correspondence
192.168.1.18:3389 <---> 24.x.y.234:3389
Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.
The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:
- the traffic must be permitted by the ACL 100, and
- the traffic must be routed out the interface E1/0
You could say it is a kind of NAT Exemption, but for a different global (public) IP address.
If you configure both these statements in a router, the show ip nat translation will show you this:
R1(config)#do show ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp 18.104.22.168:3389 192.168.1.18:3389 --- ---
--- 22.214.171.124 192.168.1.18 --- ---
Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.
My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:
access-list 100 deny tcp host 192.168.1.18 eq 3389 any
This will make the route-map based translation to never apply to the static PAT entry.