cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1894
Views
10
Helpful
4
Replies

NAT route-map question

lcaruso
Level 6
Level 6

Hi,

This is ios 12.2. I'm attempting to discern if these two NAT statements conflict.

One appears to be a PAT and the other a one-to-one NAT for the same inside host. If that is true, would this function correctly?

The public .234 is the router interface and the public .235 is part of the outside range, but again the same inside host is used. Since the second statement looks like a one-to-one nat, then the route-map is just adding the NAT Exemption onto it?

ip nat inside source static tcp 192.168.1.18 3389 24.x.y.234 3389 extendable

ip nat inside source static 192.168.1.18 24.x.y.235 route-map static-sec extendable

route-map static-sec permit 10

match ip address 100

match interface Ethernet1/0

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.4

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.3

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.2

access-list 100 deny   ip host 192.168.1.18 host 172.16.1.1

access-list 100 permit ip host 192.168.1.18 any

Can someone clear me up on this? Thanks.

2 Accepted Solutions

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

In my personal opinion, these two statements should not conflict.

The first statement establishes a static translation entry in the NAT table with the correspondence

192.168.1.18:3389 <---> 24.x.y.234:3389

Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.

The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:

  • the traffic must be permitted by the ACL 100, and
  • the traffic must be routed out the interface E1/0

You could say it is a kind of NAT Exemption, but for a different global (public) IP address.

If you configure both these statements in a router, the show ip nat translation will show you this:

R1(config)#do show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global

tcp 24.1.2.234:3389    192.168.1.18:3389  ---                ---

--- 24.1.2.235         192.168.1.18       ---                ---

R1(config)#

Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.

My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:

access-list 100 deny tcp host 192.168.1.18 eq 3389 any

This will make the route-map based translation to never apply to the static PAT entry.

Best regards,

Peter

View solution in original post

Tomas Fidler
Level 1
Level 1

As Peter sed, this configuration behave this way:

packet going from 192.168.1.18 out e1/0:

1.  if there is tcp packet from 192.168.1.18 with source port 3389 will automaticly be translated to source address 24.x.y.234.

2. packet from 192.168.1.18 with any IP protocol and any other port it will be translated to24.x.y.235 (except packet to destination 172.16.1.4,  172.16.1.3, 172.16.1.2 or 172.16.1.1)

3. other packets will not be translated

Packet comming from e1/0:

1.    tcp packet to 24.x.y.234 with destination port 3389it will automaticly be translated to destination address 192.168.1.18

2. any other packet to 24.x.y.234 (not tcp destination port 3389) will be received by router

3. any packet going to 24.x.y.235 will be translated to destination address  192.168.1.18 (intereting think is that even packets from source 172.16.1.4 to destination 24.x.y.235 will aso will be translated   (tested on

IOS Version 12.4(16a)) )

View solution in original post

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

In my personal opinion, these two statements should not conflict.

The first statement establishes a static translation entry in the NAT table with the correspondence

192.168.1.18:3389 <---> 24.x.y.234:3389

Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.

The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:

  • the traffic must be permitted by the ACL 100, and
  • the traffic must be routed out the interface E1/0

You could say it is a kind of NAT Exemption, but for a different global (public) IP address.

If you configure both these statements in a router, the show ip nat translation will show you this:

R1(config)#do show ip nat tran

Pro Inside global      Inside local       Outside local      Outside global

tcp 24.1.2.234:3389    192.168.1.18:3389  ---                ---

--- 24.1.2.235         192.168.1.18       ---                ---

R1(config)#

Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.

My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:

access-list 100 deny tcp host 192.168.1.18 eq 3389 any

This will make the route-map based translation to never apply to the static PAT entry.

Best regards,

Peter

What an excellent response!

Thank you kindly Peter for taking the time and precision for such a fine dialog.

Tomas Fidler
Level 1
Level 1

As Peter sed, this configuration behave this way:

packet going from 192.168.1.18 out e1/0:

1.  if there is tcp packet from 192.168.1.18 with source port 3389 will automaticly be translated to source address 24.x.y.234.

2. packet from 192.168.1.18 with any IP protocol and any other port it will be translated to24.x.y.235 (except packet to destination 172.16.1.4,  172.16.1.3, 172.16.1.2 or 172.16.1.1)

3. other packets will not be translated

Packet comming from e1/0:

1.    tcp packet to 24.x.y.234 with destination port 3389it will automaticly be translated to destination address 192.168.1.18

2. any other packet to 24.x.y.234 (not tcp destination port 3389) will be received by router

3. any packet going to 24.x.y.235 will be translated to destination address  192.168.1.18 (intereting think is that even packets from source 172.16.1.4 to destination 24.x.y.235 will aso will be translated   (tested on

IOS Version 12.4(16a)) )

Thank you for time and effort in responding with that clarification. The two of you have totally resolved my issue.

Thanks much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: