Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

conditional nat (destination nat) depending on IP source address

Hi,

On an Cisco ASR I am trying to configure a conditional NAT.

I would like to translate the destination IP address of packet matching an extended ACL.

The use of  route-map does not seems to be working as nat occurs at any times.

I would like to restrict nat  for some specific traffic (packet matching the acl id 168)..

 

Here is my config :

interface GigabitEthernet0/0/2
 description G0/0/2 TO DC
 ip address X.X.X.X
 ip nat inside
 zone-member security inside
!
interface Virtual-Template1 type tunnel
 description VirtualTemplate use in RSA-SIG
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AC
!
interface Virtual-Template2 type tunnel
 description VirtualTemplate use in EAP-MD5
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile A-EAP


ip nat inside source static 43.16.17.50 10.0.22.50 route-map RM-NAT-ISLP

access-list 168 permit ip 43.46.254.0 0.0.0.255 host 10.0.22.50
!
route-map RM-NAT-ISLP permit 10
 match ip address 168

/////

 

 

So when I ping 10.0.22.50 (behind GigabitEthernet0/0/2)  from 43.47.254.6 (Virtual-Access1), the ping is working fine. Destination IP is "nated" into 43.16.17.50.

See Output below :

DCA-ROUCDCVPN01#  sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  10.0.22.50            43.16.17.50           ---                   ---
icmp 10.0.22.50:2          43.16.17.50:2         43.47.254.6:2         43.47.254.6:2
Total number of translations: 2

 

DCA-ROUCDCVPN01#  sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces:
  Virtual-Access1, Virtual-Template1, Virtual-Template2
Inside interfaces:
  GigabitEthernet0/0/2
Hits: 213179  Misses: 28
Expired translations: 14
Dynamic mappings:
-- Inside Source
[Id: 0] route-map RM-NAT-ISLP
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0

 

///////

 

So nat is working properly for all ip packet, as Ip source 43.47.254.6 does not belong to access-list 168 the nat should not work !!!

I only want nat to work with packet matching acl 168.

 

What's wrong with my configuration ?

Thanks for your help.

Jerome.

571
Views
0
Helpful
0
Replies
CreatePlease login to create content