Hi,
On an Cisco ASR I am trying to configure a conditional NAT.
I would like to translate the destination IP address of packet matching an extended ACL.
The use of route-map does not seems to be working as nat occurs at any times.
I would like to restrict nat for some specific traffic (packet matching the acl id 168)..
Here is my config :
interface GigabitEthernet0/0/2
description G0/0/2 TO DC
ip address X.X.X.X
ip nat inside
zone-member security inside
!
interface Virtual-Template1 type tunnel
description VirtualTemplate use in RSA-SIG
ip unnumbered GigabitEthernet0/0/0
ip nat outside
zone-member security outside
tunnel mode ipsec ipv4
tunnel protection ipsec profile AC
!
interface Virtual-Template2 type tunnel
description VirtualTemplate use in EAP-MD5
ip unnumbered GigabitEthernet0/0/0
ip nat outside
zone-member security outside
tunnel mode ipsec ipv4
tunnel protection ipsec profile A-EAP
ip nat inside source static 43.16.17.50 10.0.22.50 route-map RM-NAT-ISLP
access-list 168 permit ip 43.46.254.0 0.0.0.255 host 10.0.22.50
!
route-map RM-NAT-ISLP permit 10
match ip address 168
/////
So when I ping 10.0.22.50 (behind GigabitEthernet0/0/2) from 43.47.254.6 (Virtual-Access1), the ping is working fine. Destination IP is "nated" into 43.16.17.50.
See Output below :
DCA-ROUCDCVPN01# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 10.0.22.50 43.16.17.50 --- ---
icmp 10.0.22.50:2 43.16.17.50:2 43.47.254.6:2 43.47.254.6:2
Total number of translations: 2
DCA-ROUCDCVPN01# sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces:
Virtual-Access1, Virtual-Template1, Virtual-Template2
Inside interfaces:
GigabitEthernet0/0/2
Hits: 213179 Misses: 28
Expired translations: 14
Dynamic mappings:
-- Inside Source
[Id: 0] route-map RM-NAT-ISLP
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
///////
So nat is working properly for all ip packet, as Ip source 43.47.254.6 does not belong to access-list 168 the nat should not work !!!
I only want nat to work with packet matching acl 168.
What's wrong with my configuration ?
Thanks for your help.
Jerome.