Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
0
Helpful
0
Replies

conditional nat (destination nat) depending on IP source address

JEROME BOSC
Level 1
Level 1

‎06-06-2014 08:07 AM - edited ‎03-04-2019 11:06 PM

Hi,

On an Cisco ASR I am trying to configure a conditional NAT.

I would like to translate the destination IP address of packet matching an extended ACL.

The use of  route-map does not seems to be working as nat occurs at any times.

I would like to restrict nat  for some specific traffic (packet matching the acl id 168)..

 

Here is my config :

interface GigabitEthernet0/0/2
 description G0/0/2 TO DC
 ip address X.X.X.X
 ip nat inside
 zone-member security inside
!
interface Virtual-Template1 type tunnel
 description VirtualTemplate use in RSA-SIG
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AC
!
interface Virtual-Template2 type tunnel
 description VirtualTemplate use in EAP-MD5
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile A-EAP


ip nat inside source static 43.16.17.50 10.0.22.50 route-map RM-NAT-ISLP

access-list 168 permit ip 43.46.254.0 0.0.0.255 host 10.0.22.50
!
route-map RM-NAT-ISLP permit 10
 match ip address 168

/////

 

 

So when I ping 10.0.22.50 (behind GigabitEthernet0/0/2)  from 43.47.254.6 (Virtual-Access1), the ping is working fine. Destination IP is "nated" into 43.16.17.50.

See Output below :

DCA-ROUCDCVPN01#  sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  10.0.22.50            43.16.17.50           ---                   ---
icmp 10.0.22.50:2          43.16.17.50:2         43.47.254.6:2         43.47.254.6:2
Total number of translations: 2

 

DCA-ROUCDCVPN01#  sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces:
  Virtual-Access1, Virtual-Template1, Virtual-Template2
Inside interfaces:
  GigabitEthernet0/0/2
Hits: 213179  Misses: 28
Expired translations: 14
Dynamic mappings:
-- Inside Source
[Id: 0] route-map RM-NAT-ISLP
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

 

///////

 

So nat is working properly for all ip packet, as Ip source 43.47.254.6 does not belong to access-list 168 the nat should not work !!!

I only want nat to work with packet matching acl 168.

 

What's wrong with my configuration ?

Thanks for your help.

Jerome.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card