×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT route-map question

Answered Question
Aug 5th, 2012
User Badges:
  • Bronze, 100 points or more

Hi,


This is ios 12.2. I'm attempting to discern if these two NAT statements conflict.


One appears to be a PAT and the other a one-to-one NAT for the same inside host. If that is true, would this function correctly?


The public .234 is the router interface and the public .235 is part of the outside range, but again the same inside host is used. Since the second statement looks like a one-to-one nat, then the route-map is just adding the NAT Exemption onto it?

ip nat inside source static tcp 192.168.1.18 3389 24.x.y.234 3389 extendable

ip nat inside source static 192.168.1.18 24.x.y.235 route-map static-sec extendable


route-map static-sec permit 10

match ip address 100

match interface Ethernet1/0


access-list 100 deny   ip host 192.168.1.18 host 172.16.1.4

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.3

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.2

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.1

access-list 100 permit ip host 192.168.1.18 any


Can someone clear me up on this? Thanks.

Correct Answer by Tomas Fidler about 5 years 2 weeks ago

As Peter sed, this configuration behave this way:

packet going from 192.168.1.18 out e1/0:

1.  if there is tcp packet from 192.168.1.18 with source port 3389 will automaticly be translated to source address 24.x.y.234.

2. packet from 192.168.1.18 with any IP protocol and any other port it will be translated to24.x.y.235 (except packet to destination 172.16.1.4,  172.16.1.3, 172.16.1.2 or 172.16.1.1)

3. other packets will not be translated


Packet comming from e1/0:

1.    tcp packet to 24.x.y.234 with destination port 3389it will automaticly be translated to destination address 192.168.1.18

2. any other packet to 24.x.y.234 (not tcp destination port 3389) will be received by router

3. any packet going to 24.x.y.235 will be translated to destination address  192.168.1.18 (intereting think is that even packets from source 172.16.1.4 to destination 24.x.y.235 will aso will be translated   (tested on

IOS Version 12.4(16a)) )

Correct Answer by Peter Paluch about 5 years 2 weeks ago

Hello,


In my personal opinion, these two statements should not conflict.


The first statement establishes a static translation entry in the NAT table with the correspondence


192.168.1.18:3389 <---> 24.x.y.234:3389


Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.


The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:


  • the traffic must be permitted by the ACL 100, and
  • the traffic must be routed out the interface E1/0


You could say it is a kind of NAT Exemption, but for a different global (public) IP address.


If you configure both these statements in a router, the show ip nat translation will show you this:


R1(config)#do show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global

tcp 24.1.2.234:3389    192.168.1.18:3389  ---                ---

--- 24.1.2.235         192.168.1.18       ---                ---

R1(config)#


Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.


My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:


access-list 100 deny tcp host 192.168.1.18 eq 3389 any


This will make the route-map based translation to never apply to the static PAT entry.


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Peter Paluch Sun, 08/05/2012 - 23:57
User Badges:
  • Cisco Employee,

Hello,


In my personal opinion, these two statements should not conflict.


The first statement establishes a static translation entry in the NAT table with the correspondence


192.168.1.18:3389 <---> 24.x.y.234:3389


Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.


The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:


  • the traffic must be permitted by the ACL 100, and
  • the traffic must be routed out the interface E1/0


You could say it is a kind of NAT Exemption, but for a different global (public) IP address.


If you configure both these statements in a router, the show ip nat translation will show you this:


R1(config)#do show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global

tcp 24.1.2.234:3389    192.168.1.18:3389  ---                ---

--- 24.1.2.235         192.168.1.18       ---                ---

R1(config)#


Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.


My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:


access-list 100 deny tcp host 192.168.1.18 eq 3389 any


This will make the route-map based translation to never apply to the static PAT entry.


Best regards,

Peter

lcaruso Mon, 08/06/2012 - 05:58
User Badges:
  • Bronze, 100 points or more

What an excellent response!


Thank you kindly Peter for taking the time and precision for such a fine dialog.

Correct Answer
Tomas Fidler Mon, 08/06/2012 - 02:30
User Badges:

As Peter sed, this configuration behave this way:

packet going from 192.168.1.18 out e1/0:

1.  if there is tcp packet from 192.168.1.18 with source port 3389 will automaticly be translated to source address 24.x.y.234.

2. packet from 192.168.1.18 with any IP protocol and any other port it will be translated to24.x.y.235 (except packet to destination 172.16.1.4,  172.16.1.3, 172.16.1.2 or 172.16.1.1)

3. other packets will not be translated


Packet comming from e1/0:

1.    tcp packet to 24.x.y.234 with destination port 3389it will automaticly be translated to destination address 192.168.1.18

2. any other packet to 24.x.y.234 (not tcp destination port 3389) will be received by router

3. any packet going to 24.x.y.235 will be translated to destination address  192.168.1.18 (intereting think is that even packets from source 172.16.1.4 to destination 24.x.y.235 will aso will be translated   (tested on

IOS Version 12.4(16a)) )

lcaruso Mon, 08/06/2012 - 06:00
User Badges:
  • Bronze, 100 points or more

Thank you for time and effort in responding with that clarification. The two of you have totally resolved my issue.

Thanks much!

Actions

This Discussion

Related Content