cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4024
Views
0
Helpful
15
Replies

route-map vs access-list in NAT

Jonn cos
Level 4
Level 4

Hi All,

i need to understand technical difference between using a route-map vs access-list in a natting statement. I have seen an old white-paper about some extended translations occurring due to use of route-maps but now if check, both access-list and route-maps are same in that regard.

 

I would appreciate if someone can highlight what technical difference there is ?

15 Replies 15

nkarthikeyan
Level 7
Level 7

Hi Jonn,

There is not so much difference in using a ACL based NAT or Route-map's based NAT. But in addition if you use route-map based NAT.... it will do perform the NAT based on the entire route-map parameters which includes the access-list, policy based routing for the matched NAT.... In this case match parameters is needed for both ACL as well as route-map.....

 

Regards

Karthik

Hi Karthik,

it will do perform the NAT based on the entire route-map parameters which includes the access-list, policy based routing for the matched NAT

Be careful - a route-map used in a NAT statement will not cause your packets to be policy routed. If you want to do Policy Based Routing, you need to refer to a route-map in a per-interface ip policy route-map command.

The main difference between using an ACL and a route-map in an ip nat statement is that the route-map allows you to also match the outgoing interface, not just the usual ACL-matchable parameters (source, destination, L4 protocol, L4 ports, etc.). This is especially useful if you have multiple ISPs or multiple uplinks, and you need to NAT into different address pools depending on what egress interface a packet goes out.

Best regards,
Peter

Hi Peter,

This question was bothering me for years and i asked it on different forums. There were times when i was able to solve specific nat issue using route-map only. I mean when i replaced acl with route-map the issue was solved. I know i sound weird and without a scenario its meaningless but i am sure there is some advantage of using route-maps with simple access-list matching and using just a acl.

Hi Jonn,

 

I see major difference is the one we have told earlier..... if you use route-map based NAT it takes care of both ACL match as well as Policy based routing which is included in route-map.... if you put acl alone then it takes care of only the ACL..... return traffic is also a main thing here....

 

Regards

Karthik

diya isleem
Level 1
Level 1

There are two references to the route maps in the NAT configuration, 

 

1- ip nat source route-map

2- ip nat source statci ip ip route-map

 

So it is clear that we've two functions for the route maps here.

 

 

Also I found this text about route-maps but I need more details:

 

By default when you use route-maps with NAT rules, extendable entries are created. This disallows an external user to open a reverse connection back to an inside host since no one-to-one mapping exists in translation table. Reversible NAT allows creating of extendable entries along with reversible one-to-one mappings.

 

 

You would be better off posting your own question if you want clarification.

Are you trying to provide an answer to the OP or are you asking a question yourself ?

Jon

I don't clearly understand you, my post is related to this discussion.

Yes but -

1) it's not clear whether you are responding to the OP or asking a question

and

2) this post is over a year old

Jon

this is unanswered question and it is better to get an answer for him and anyone rather than duplicating the topic, I've same question and I posted some input hoping that it helps, if you have any clarification it will be great. :)

I suspect after a year he is no longer waiting for an answer although I could be wrong :-)

But I understand what you mean.

When you use a route map with NAT it does not enter a one to one mapping, it enters full translations ie. IPs and port numbers.

So if you used a route map with a NAT pool for example and a client went from inside to outside then it would only create a mapping for the IP on the specific port numbers used which means no device on the outside could then connect back to the client on a different port.

If you use the reversible keyword however it not only creates a full entry using IPs and port numbers but it also creates a one to one mapping so now you could connect back to the client on a different port number.

Static NAT statements with a route map also only create full translation entries although the logic of what you can and can't connect to is slightly different.

Jon

 

Thank you, this clarifies one side for me,

 

Now what is the relation between route-map and extendable NAT? 

 

As I know, extendable means: the router will create new entry in the NATting table so a new connection from destination side "i,e. outside" to the source "inside" will be allowed, so what is the difference between extendable NAT and reversible NAT?

Must admit that is not my understanding of extendable NAT.

Using extendable NAT simply means the router will do a full translation ie. IPs and port numbers which allows you to, for example, use translate the same source inside IP to multiple outside IPs.

I don't know how this ties in with what you are saying ie. extendable meaning a new entry will be allowed from destination side although we may be talking about the same thing just in a different way.

Jon

they both tied to the route maps, this is what I thought,

Please see my quote in my 1st post

 

So I understand from you the reverse natting and extendable natting are completely different things, is that means route map only help to implement them??

They are not both tied to route maps.

Using the extendable keyword simply means a full translation is done using IPs and ports as far as I am aware.

So you don't need to use extendable with route maps.

Using route maps with NAT is to give you more flexibility ie. as Peter says you can tie the NAT to an interface for example.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: