Re: Why packets are being translated by one route-map and not th

blakem · ‎06-27-2006

Hi,

I have 2 NAT rules, each with a route-map to determine which packets are translated. What I don't understand is how to control which NAT rule is applied first..?

In my config, the first of the following rules is applied first, and then the other. I would like to have it the other way round, the second being applied first, and the first being applied second.

ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload

ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP

The reason why I want it this way round is because the first rule NAT's almost everything so that I can access the Internet. The second rule NAT's specific traffic to a different address.

If I want traffic to be NATTED according to the second rule, I have to deny traffic in the first associated ACL, and permit it in the second ACL. That means I basically have to configure each ACL each time I want packets to be matched by the second NAT rule - there must be a better way of doing it!!!

Any help would be most appreciated.

Many thanks,

Michael.

jolmo · ‎06-28-2006

Hi Michael

Can you post every ACL associated to each route map ?

There should be a way to configure them properly. Remember traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router.

blakem · ‎06-28-2006

Hello, here's the basic (shortened list). If I want packets to be matched by NAT_RADIANZ_PIXACCESS_ACL I have to put a deny in NAT_INTERNET_ACCESS_ACL. If I could make sure that the first list is used first, and then anything left over compared against the second, then it would make life/editing much easier...

Cheers,

Michael

ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload

ip nat inside source static udp 10.10.11.1 500 10.10.11.1 500 extendable

ip nat inside source static udp 10.10.11.1 4500 10.10.11.1 4500 extendable

ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP

ip access-list extended NAT_INTERNET_ACCESS_ACL

remark Traffic to Branch A (over VPN)

deny ip 172.16.101.0 0.0.0.255 192.168.1.0 0.0.0.255

remark Traffic to Branch B (over VPN)

deny ip 172.16.101.0 0.0.0.255 172.16.0.0 0.0.0.255

deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255

deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255

deny ip 172.16.101.0 0.0.0.255 172.16.3.0 0.0.0.255

remark Traffic to Cust A (over VPN)

deny ip host 172.16.101.1 host 192.168.0.1

deny ip host 172.16.101.2 host 192.168.0.1

remark Traffic to Cust B (over VPN)

deny ip host 172.16.101.1 host 192.168.0.2

deny ip host 172.16.101.2 host 192.168.0.2

remark Traffic to Cust C (over Radianz VPN)

deny ip host 172.16.101.1 host 192.168.0.3

deny ip host 172.16.101.2 host 192.168.0.3

remark Traffic to Cust D (over Radianz VPN)

deny ip host 172.16.101.1 host 192.168.0.4

deny ip host 172.16.101.2 host 192.168.0.4

permit ip any any

ip access-list extended NAT_RADIANZ_PIXACCESS_ACL

remark Manangement Traffic to Cust C

permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx

permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx

permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22

permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22

remark Manangement Traffic to Cust D

permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx

permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx

permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22

permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22

route-map NAT_RADIANZ_PIXACCESS_RMAP permit 10

match ip address NAT_RADIANZ_PIXACCESS_ACL

set ip next-hop 10.10.11.14

!

route-map NAT_INTERNET_ACCESS_RMAP permit 40

match ip address NAT_INTERNET_ACCESS_ACL

set ip next-hop xxx.xxx.xxx.xxx

jolmo · ‎06-28-2006

Hi Michael

I'm afraid there is no other way to do it but putting every permit entry in NAT_RADIANZ_PIXACCESS_ACL as a deny entry at the beginning of NAT_INTERNET_ACCESS_ACL.

I think you can not specify the order the router checks every route-map.

HTH

blakem · ‎06-29-2006

Hi

Well I found something that helps, although I wish I could order the NAT translations.

If I put a 'match interface' in the route-map, then only packets leaving that interface will be NATTED, i.e. not the ones that I don't want NATTED.

e.g.:

route-map NAT_INTERNET_ACCESS_RMAP permit 40

match ip address NAT_INTERNET_WEBACCESS_ACL

match interface GigabitEthernet0/1

set ip next-hop xxx.xxx.xxx.xxx

It still leaves the problem that if I wanted to NAT addresses to two different addresses on the same interface (say I had a secondary IP address on the interface, or wanted to do some proxy-arp), I'd have to use the denies in one of the lists!!

Thanks for your help. If you've got any other ideas, I'd love to hear them.

Cheers,

Michael

gwhuang5398 · ‎06-29-2006

Michael:

This is a very interesting question. I've been thinking about it for a day but have not really come up with a solution that can have two seperate NATs for the traffic coming into the same inside interface if not using those deny statements. The I was thinking somehow maybe those deny statements can be simplified.

Don't know how your addressing scheme was designed. If all your customers are in the same 192.168.0.0/24 range, then you can have one "deny ip 172.16.101.0 0.0.0.255 192.168.0.0 0.0.0.255" instead of multiple "deny ip host ... host ...".

Would that work for you. Please le me know.

Gary

Why packets are being translated by one route-map and not the other?