Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring dynamic NAT with route-maps

Core Issue

Dynamic Network Address Translation (NAT) creates translation entries in the NAT table when traffic received from a host matches the criteria specified for translation and translates the address to a different address that is available in a configured pool. A translation entry remains in the table as long as there is a traffic flow that matches the entry. It is removed from the table after an idle period of a configured timeout value. 

Dynamic NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same local or global address needs to be translated to more than one global or local address. This type of configuration creates an extended translation entry in the NAT table. It is useful specifically when a network is multi-homed to different provider or partner networks, and the same inside local address has to be translated to different inside global addresses available in multiple configured pools.

This method is also useful when using NAT and IP Security (IPSec) together on a router to reach a public network like the Internet, as well as other VPN sites through the same NAT outside interface. The route-map option can be used to selectively translate packets that are destined to non-VPN sites in the public network, while not translating packets destined for VPN sites which are reached through the public network.

Resolution

To configure static NAT with the route-map option, issue the ip nat inside source route-map name pool name command or the ip nat outside source route-map name pool pool-name command from the global configuration mode, depending on the source location. 

Issue the ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} command in the global configuration mode to configure the NAT pools that contains the addresses to be used for translation. Also, identify the NAT inside and outside interfaces by issuing the ip nat inside and ip nat outside commands under the specific interface configuration mode. The route-map command should be configured for matching the specific traffic that needs to be translated by issuing the access-list command and the match command.

For example, a router is multi-homed to the Internet by connecting through interface serial 0 to Internet Service Provider (ISP)-1, which has assigned the 192.168.1.0/24 address space. It is connected through interface serial 1 to ISP-2, which has assigned the address space 172.16.1.0/24. The LAN interface of the router is connected to the corporate inside network, which belongs to the 10.0.0.0/8 network. The requirement is that the same inside host should be translated to addresses assigned by the respective ISPs when traffic is forwarded through interface serial 0 or serial 1.  The relevant configuration on the router will be the following:

interface Ethernet0
 ip address 10.1.1.1 255.0.0.0
 ip nat inside
!--This connects to the Corporate network, designated as the NAT inside interface.  
interface Serial0
 ip address 192.168.1.1 255.255.255.252
 ip nat outside
!---This connects to the Internet through ISP-1, designated as the NAT outside interface.  
 
interface Serial1
 ip address 172.16.1.1 255.255.255.252
 ip nat outside
!---This connects to the Internet through ISP-2, designated as the NAT outside interface.  

ip nat pool ISP-1 192.168.1.3 192.168.1.254 prefix-length 24
!---This creates a pool by the name ISP-1, which contains addresses assigned by ISP-1.  

ip nat pool ISP-2 172.16.1.3 172.16.1.254 prefix-length 24
!---This creates a pool by the name ISP-2, which contains addresses assigned by ISP-2.  

ip nat inside source route-map isp-1 pool ISP-1
!---The above line configures Dynamic NAT mapping for the inside network 
10.0.0.0/8 to a global address from the pool ISP-1 to be used for traffic matched by the route-map isp-1.  

ip nat inside source route-map isp-2 pool ISP-2
!---The above line configures Dynamic NAT mapping for the inside network 
10.0.0.0/8 to a global address from the pool ISP-2 to be used for traffic matched by the route-map isp-2.  

access-list 1 permit 10.0.0.0 0.255.255.255
!---This ACL permits traffic from all hosts in the Corporate network.  

route-map isp-2 permit 10
 match ip address 1
 match interface Serial1
!---This route-map matches all traffic matched by ACL 1 and going out of 
interface serial 1. In other words, all traffic from the Corporate network to the Internet through ISP-2 is matched.  

route-map isp-1 permit 10
 match ip address 1
 match interface Serial0
!---This route-map matches all traffic matched by ACL 1 and going out of 
interface serial 0. In other words, all traffic from the Corporate network to the Internet through ISP-1 is matched.  

   For more information, refer to NAT Support for Multiple Pools Using Route Maps.


Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:04 PM
Updated by:
 
Labels (1)
Everyone's tags (3)