cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
159337
Views
16
Helpful
12
Comments
TCC_2
Level 10
Level 10

Introduction:

A static Network Address Translation (NAT) configuration creates a simple translation entry in the NAT table,  translating a particular local address to a specific global address and vice versa. These entries always remain in the table and are removed only if the configuration is removed.The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

Static NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same inside local address needs to be translated to more than one inside global address, depending on where the traffic is destined. This type of configuration will create an extended translation entry in the NAT table and will be useful when a network is multi-homed to different provider networks or partner networks, and the same inside local address has to be translated to different inside global addresses.

This method is also useful when using NAT and IP Security (IPsec) together on a router to reach a public network like the Internet, as well as other Virtual Private Network (VPN) sites through the same NAT outside interface. The route-map option can be used to translate only traffic going to the public network. It does not translate traffic destined for other VPN sites reached through the public network. Though there are other ways of achieving the same thing, this option allows the user to implement such a scenario without degrading router performance.

Configuration overview:

To configure static NAT with route maps, use the following steps:

1) The first step in any NAT configuration is to define the inside and outside interfaces.
This can be done by issuing the ip nat inside command and the ip nat outside command under the specific interface configuration mode.

2) Use the following command to define an extended access list and the parameters of the access list:

access−list <acl−number> {deny|permit} <protocol> <source> <source−wildcard> <destination> <destination−wildcard>

The access list should specify which traffic arriving at the inside interface and destined to the outside interface is eligible to create a translation entry.

3) Configure route map and define the parameters of the route map.

4) Use below command to enable static NAT with route maps configured on the inside interface:

ip nat inside source list {acl−number|acl−name} pool pool−name[overload]|static local−ip global−ip route−map map−name}

Configuration overview:

A router R1 connects to the Internet through interface serial0/0 and is connected through interface serial0/1 to a partner network which uses the 192.168.1.0/24 address space. The LAN interface of the router is connected to the corporate inside network which belongs to the 10.0.0.0/8 network. The requirement is that an inside host 10.1.1.10, which could be a mail server, should be translated to address 200.1.1.10 when communicating with the Internet. The same host should be translated to the 172.16.1.10 address when communicating with the partner network.

Topology Diagram:

static nat.jpg

Router R1 static NAT with route map configuration:

STEP: 1
interface Fa0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!---This connects to the corporate network, designated as NAT inside interface.

 

interface S0/0
ip address 200.1.1.1 255.255.255.0
ip nat outside
!---This connects to Internet, designated as NAT outside interface.

 

interface Serial0/1
ip address 172.16.1.1 255.255.255.0
ip nat outside
!---This connects to the Partner network, designated as NAT outside interface

 

STEP: 2
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
!---This Access Control List (ACL) permits traffic from all hosts in the corporate network destined for the partner network.

 

access-list 101 permit ip 10.0.0.0 0.255.255.255 any
!---This ACL permits traffic from all hosts in the corporate network going to any destination on the Internet.

STEP: 3
route-map topartners permit 10
match ip address 100
set ip next-hop 172.16.1.2
!---This route-map matches all traffic matched by ACL 100 and going out of interface serial 0/1. In other words, all traffic from the corporate network to the partner network is matched.

 

route-map tointernet permit 10
match ip address 101
set ip next-hop 200.1.1.2
!---This route-map matches all traffic matched by ACL 101 and going out of interface serial 0/0. In other words, all traffic from the corporate network to the Internet is matched.

 

STEP: 4
ip nat inside source static 10.1.1.10 172.16.1.10 route-map topartners
!---The above line configures a static NAT mapping for the inside host 10.1.1.10 to the global address 172.16.1.10 to be used for traffic matched by the route-map to partners.

 

ip nat inside source static 10.1.1.10 200.1.1.10 route-map tointernet
!---The above line configures a static NAT mapping for the inside host 10.1.1.10 to the global address 200.1.1.10 to be used for traffic matched by the route-map to the Internet.

Verification command:

71087.jpg

Related Information:

 

                                   

Base Initial configuration:

 

Comments
fromthesky
Level 1
Level 1

Hi,

 why use the "set interface" keyword?  Shouldn't it be the "match interface"?

Thanks,

 

jose.oliveira.83
Community Member

Hello TCC_2,

Have you tried this config ? did it work ?

 

I tried it and it's no working, I think it's because the router does routing before, like shown here:

  http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

because the are no routes it does reach the NAT with the route-maps.

 

Best Regards,

José Oliveira

 

I add weighted static routes.Once I did it worked. When both the static routes were defaulted to 1  I was unable to get out. Have not tried to change the weight in the route-maps.

 

ip route 200.1.1.0 255.255.255.0 200.1.1.2 name ISP 20

ip route 172.16.1.1 255.255.255.0 172.16.1.2 name PARTNER_ISP 30

 

fromthesky
Level 1
Level 1

Hi,

 what's the purpose of the routes above? These routes don't look correct as the next-hop is in the network of the route. Also, these networks are directly connectd.

Regards,

wilson.waters
Level 1
Level 1

Couldn't get this to work either. As jose.oliveira indicated, I think it's because routing happens before nat.

There's another post which suggests to use a Tunnel interface to solve the same problem, but it's not very neat.

There's an error on the picture: interface "s0/0: 172.1.1.1/24" should be "s0/1: 172.1.1.1/24" according to the provided config.

Destiny3986
Level 1
Level 1

Hi TCC_2

Could i use "match interface s0/0" and "match interface s0/1"?

mendrika13
Level 1
Level 1

We have got some problem in our router (a 1841, IOS Version 12.4(15)T12),

We activated the command "debug ip packet" (to observ nat translation) then the cpu become full (100%) and I wasn't able to reach the management IP of it.

After restarting the router, I can reach it BUT the cpu still in very high average 80-100% and we have loss some packets.

What should we do to decrease the CPU utilisation?

How can we be sure that the debug ip packet is off ? (I tried the command "show debugging {condition} {all}" but no result)

Thank you

Debug must be disabled after the reboot but... have you tried this one?

Router# undebug all
laajr
Community Member

The configuration is wrong.

  •  It is not necessary to use "set ip next-hop" to have the conditional NAT, remove it from the route-maps.
  • You should negate the partner network into internet ACL 101 (first line). Otherwise, the any destination in the ACL 101 will incorrectly matches the partner network.
  • Make sure you have L3 working properly before to apply the NAT configuration.

ip nat inside source static 10.1.1.10 172.1.1.10 route-map topartners
ip nat inside source static 10.1.1.10 200.1.1.10 route-map tointernet

access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any

route-map topartners  permit 10
 match ip address 100

route-map tointernet permit 10
 match ip address 101

rameshbhaskar.07
Community Member

Hi

I want to access my server from internet. I have added server ip to WAN ip in NAT. I have created standard access list and allowed my LAN pool only. Do I need to permit WAN pool??

psangster
Level 1
Level 1

Did exactly what it said on the tin for me

Very helpful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: