Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT and Route-Maps

Hi all,

we have a NAT and Route-Map question.

We have a secondary public address on our external interface. Some traffic we want to be NAT'd and the source address replaced with the primary address (x1) on the outbound public interface (fa0/1), and other traffic to be NAT's and the source address replaced with the secondary address (x2) on the outbound public interface. Here is the

configuration:

# access-list 120 permit udp 10.0.70.0 0.0.0.127 any eq 7780 log-input

# access-list 120 permit udp 10.0.70.0 0.0.0.127 any eq 7783 log-input

# access-list 120 permit udp 10.0.70.0 0.0.0.127 any eq 7786 log-input

# access-list 120 permit ip 10.0.70.0 0.0.0.127 any log-input

# access-list 120 permit ip 10.0.71.0 0.0.0.127 any log-input

# access-list 121 permit udp 10.0.70.0 0.0.0.127 any eq 7789 log-input

# access-list 121 permit ip 10.0.70.0 0.0.0.127 any log-input

# access-list 121 permit ip 10.0.71.0 0.0.0.127 any log-input

# route-map MAP-Actrix permit 10

# match ip address 120

# route-map MAP-Ihug permit 10

# match ip address 121

# ip nat pool net-26 x1 x1 prefix-length 24

# ip nat inside source route-map MAP-Actrix pool net-26 overload # interface fa0/0

# ip nat inside

# interface fa0/1

# ip nat outside

# ip nat pool net-48 x2 x2 prefix-length 24

# ip nat inside source route-map MAP-Ihug pool net-48 overload

Now my central question is this: if traffic arrives on the router destined to leave via fa0/1, and it doesn't match the first three lines of ACL120, or the first two lines of ACL121, which ACL will it use when applying the route-map to the NAT config? If it uses ACL120 when infact I wanted it to use ACL121, does this mean I need to be more specific in my ACL config?

TIA,

Matthew

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: NAT and Route-Maps

1.Regarding the access-list is concerned 120, 121 both permit all the traffic if the first 3 and 2 statements does not match the required traffic.

You need to allow explicitly the required traffic in the first statements and deny remaing.

2.Regarding IP NAT is conecrned.

Create a loop interface (say LoopBACK 1 )You can move the secondary IP of Fa0/1 to loopback 1 and use NAT overload to interface

either with access-list or router-map

ip nat inside source list 120 interface fastEthernet0/1 overload

ip nat inside source list 121 interface loopback1 overload

or

ip nat inside source route-map MAP-Actrix interface fastEthernet0/1 overload

ip nat inside source route-map MAP-Ihug interface loopback1 overload

1 REPLY
New Member

Re: NAT and Route-Maps

1.Regarding the access-list is concerned 120, 121 both permit all the traffic if the first 3 and 2 statements does not match the required traffic.

You need to allow explicitly the required traffic in the first statements and deny remaing.

2.Regarding IP NAT is conecrned.

Create a loop interface (say LoopBACK 1 )You can move the secondary IP of Fa0/1 to loopback 1 and use NAT overload to interface

either with access-list or router-map

ip nat inside source list 120 interface fastEthernet0/1 overload

ip nat inside source list 121 interface loopback1 overload

or

ip nat inside source route-map MAP-Actrix interface fastEthernet0/1 overload

ip nat inside source route-map MAP-Ihug interface loopback1 overload

100
Views
0
Helpful
1
Replies