Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

conditional nat (destination nat) depending on IP source address


On an Cisco ASR I am trying to configure a conditional NAT.

I would like to translate the destination IP address of packet matching an extended ACL.

The use of  route-map does not seems to be working as nat occurs at any times.

I would like to restrict nat  for some specific traffic (packet matching the acl id 168)..


Here is my config :

interface GigabitEthernet0/0/2
 description G0/0/2 TO DC
 ip address X.X.X.X
 ip nat inside
 zone-member security inside
interface Virtual-Template1 type tunnel
 description VirtualTemplate use in RSA-SIG
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AC
interface Virtual-Template2 type tunnel
 description VirtualTemplate use in EAP-MD5
 ip unnumbered GigabitEthernet0/0/0
 ip nat outside
 zone-member security outside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile A-EAP

ip nat inside source static route-map RM-NAT-ISLP

access-list 168 permit ip host
route-map RM-NAT-ISLP permit 10
 match ip address 168




So when I ping (behind GigabitEthernet0/0/2)  from (Virtual-Access1), the ping is working fine. Destination IP is "nated" into

See Output below :

DCA-ROUCDCVPN01#  sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---             ---                   ---
Total number of translations: 2


DCA-ROUCDCVPN01#  sh ip nat statistics
Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces:
  Virtual-Access1, Virtual-Template1, Virtual-Template2
Inside interfaces:
Hits: 213179  Misses: 28
Expired translations: 14
Dynamic mappings:
-- Inside Source
[Id: 0] route-map RM-NAT-ISLP
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0




So nat is working properly for all ip packet, as Ip source does not belong to access-list 168 the nat should not work !!!

I only want nat to work with packet matching acl 168.


What's wrong with my configuration ?

Thanks for your help.


CreatePlease login to create content