Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

route-map?

what does the route-map command accomplish in this config and what does the 10 stand for?

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 95.95.95.2

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 95.95.95.2

set transform-set rtpset

!--- Include the private network to private network traffic

!--- in the encryption process.

match address 115

!

interface Ethernet0/0

ip address 10.50.50.50 255.255.255.0

no ip directed-broadcast

ip nat inside

!

interface Ethernet0/1

ip address 99.99.99.2 255.255.255.0

no ip directed-broadcast

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map rtp

!

interface Ethernet0/2

no ip address

no ip directed-broadcast

shutdown

!

interface Ethernet0/3

no ip address

no ip directed-broadcast

shutdown

!

!--- Except the private network traffic from the NAT process.

ip nat inside source route-map nonat interface Ethernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 99.99.99.1

no ip http server

!

!--- Except the private network traffic from the NAT process.

access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 110 permit ip 10.50.50.0 0.0.0.255 any

!--- Include the private network to private network traffic

!--- in the encryption process.

access-list 115 permit ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255

!--- Except the private network traffic from the NAT process.

route-map nonat permit 10

match ip address 110

4 REPLIES
Cisco Employee

Re: route-map?

That route map tide with access-list 110 to define the source network to get translated..The route-map statement will give you better control over what to permit and what to deny for a big network..

Now you can get away with following statement if you don't want to use the route-map

ip nat inside source list 110 interface Ethernet0/1 overload

Bronze

Re: route-map?

The route-map was used for NAT instead of ACLs only.

Route-map named "nonat" will be used as the source

of the translation, which in turn uses access-list 110

wherein the addresses were defined by the permit and deny statements.

The value "10" in the route-map is just a sequence number to

indicate the preference of the route-map if you are using

the same route-map name with different set and match statements.

In short, if you have:

route-map nonat permit 10

route-map nonat permit 20

route-map nonat permit 30

just follow the concept of access-list.

From just looking at access-list 110, the network 10.50.50.0/24 will be

able to access ANY destination EXCEPT 10.103.1.0/24.

But this config is quite far from the usual implementation

of NAT with route-maps. The config you have posted should work

without the route-map, in terms of NAT purposes only.

So instead of:

ip nat inside source route-map nonat interface Ethernet0/1 overload

you can just use:

ip nat inside source list 110 interface Ethernet0/1 overload

and you should achieve the same output.

Here's the link for using NAT with route maps:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

New Member

Re: route-map?

thanks! that helped. could you give me an example when you would want to use a route-map?

Bronze

Re: route-map?

Good to hear that it helped.

If you haven't checked the link that I've posted,

it shows a good/practical example, wherein a single

inside network can be translated into two different

outside addresses when accessing two different networks.

99
Views
5
Helpful
4
Replies
CreatePlease login to create content