Re: 2801 router - problem with NAT via route-maps

m-housley · ‎05-30-2007

I have a problem with a 2801 router running both static NAT (inside-outside), a basic dynamic NAT (outside-inside) and two dynamic NATs through two route-maps (inside-outside)...

The Static and basic dynamic NATs work OK so no problem there, but the pools via route-maps do not.

when a packet arrives and gets run through the route-map, a translation entry builds, but the router does not forward the packet - this happens on both route-maps. Example below: -

NAT_Router#sh ip nat trans | include 172.16.2.144

udp 192.168.100.1:1508 172.16.2.144:1508 192.168.169.69:111 192.168.169.69:111

udp 192.168.100.1:1509 172.16.2.144:1509 192.168.169.3:111 192.168.169.3:111

The NAT config of the router is as follows: -

!

no ip cef

!

interface FastEthernet0/0

ip address 172.17.3.250 255.255.248.0

ip nat inside

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 192.168.171.4 255.255.255.0

ip nat outside

speed 100

full-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.7.254

ip route 10.16.0.0 255.248.0.0 192.168.171.1

ip route 10.210.0.0 255.255.255.0 192.168.171.1

ip route 172.17.250.0 255.255.255.0 192.168.171.1

ip route 172.17.251.0 255.255.255.0 192.168.171.1

ip route 172.22.100.128 255.255.255.224 192.168.171.1

ip route 192.168.154.0 255.255.255.0 192.168.171

ip route 192.168.100.56 255.255.255.248 192.168.171.250

ip route 192.168.169.3 255.255.255.255 192.168.171.250

ip route 192.168.169.69 255.255.255.255 192.168.171.250

ip route 205.223.239.66 255.255.255.255 192.168.171.1

ip route 217.33.199.56 255.255.255.255 192.168.171.1

!

ip nat pool DMZ 172.17.250.1 172.17.250.254 netmask 255.255.255.0

ip nat pool SKEM 192.168.171.225 192.168.171.249 netmask 255.255.255.224

ip nat pool EARS 192.168.100.1 192.168.100.30 netmask 255.255.255.224

ip nat inside source route-map MAP-101 pool SKEM

ip nat inside source route-map MAP-102 pool EARS

ip nat inside source static 172.22.130.34 192.168.171.6

ip nat inside source static 172.22.130.41 192.168.171.7

ip nat inside source static 166.1.1.47 192.168.171.47

ip nat inside source static 172.22.1.21 192.168.171.48

ip nat inside source static 172.22.254.81 192.168.171.49

ip nat inside source static 172.22.8.15 192.168.171.50

ip nat outside source list 2 pool DMZ

ip nat outside source static 192.168.154.11 172.17.251.15

ip nat outside source static 192.168.154.23 172.17.251.13

!

access-list 2 deny 10.17.17.23

access-list 2 permit 192.168.154.0 0.0.0.255

access-list 2 permit 10.16.0.0 0.7.255.255

access-list 2 permit 172.22.100.128 0.0.0.31

access-list 2 permit 10.210.0.0 0.0.0.255

access-list 101 permit ip 172.16.0.0 0.0.255.255 host 217.33.199.56

access-list 101 permit ip 172.16.0.0 0.0.255.255 host 205.223.239.66

access-list 102 permit ip 172.16.0.0 0.0.255.255 host 192.168.169.3

access-list 102 permit ip 172.16.0.0 0.0.255.255 host 192.168.169.69

access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.100.56 0.0.0.7

!

route-map MAP-101 permit 10

match ip address 101

!

route-map MAP-102 permit 10

match ip address 102

!

There must be some fundamental error in the config but i've no idea what it might be.

The software is c2801-ipbase-mz[1].124-3a.bin

Any ideas anyone?

anthony.king · ‎05-30-2007

I've had the same problem with 1841s and 871s. I used 'ip nat inside source list' instead and that worked fine.

m-housley · ‎05-30-2007

I cannot use the "ip nat inside source list" command as this will not create fully extended entries in the NAT translation table. It must be through a route-map as the same end-users will be using both NAT pools that are run through route-maps.