conditional nat (destination nat) depending on IP source address
On an Cisco ASR I am trying to configure a conditional NAT.
I would like to translate the destination IP address of packet matching an extended ACL.
The use of route-map does not seems to be working as nat occurs at any times.
I would like to restrict nat for some specific traffic (packet matching the acl id 168)..
Here is my config :
interface GigabitEthernet0/0/2 description G0/0/2 TO DC ip address X.X.X.X ip nat inside zone-member security inside ! interface Virtual-Template1 type tunnel description VirtualTemplate use in RSA-SIG ip unnumbered GigabitEthernet0/0/0 ip nat outside zone-member security outside tunnel mode ipsec ipv4 tunnel protection ipsec profile AC ! interface Virtual-Template2 type tunnel description VirtualTemplate use in EAP-MD5 ip unnumbered GigabitEthernet0/0/0 ip nat outside zone-member security outside tunnel mode ipsec ipv4 tunnel protection ipsec profile A-EAP
ip nat inside source static 220.127.116.11 10.0.22.50 route-map RM-NAT-ISLP
access-list 168 permit ip 18.104.22.168 0.0.0.255 host 10.0.22.50 ! route-map RM-NAT-ISLP permit 10 match ip address 168
So when I ping 10.0.22.50 (behind GigabitEthernet0/0/2) from 22.214.171.124 (Virtual-Access1), the ping is working fine. Destination IP is "nated" into 126.96.36.199.
See Output below :
DCA-ROUCDCVPN01# sh ip nat translations Pro Inside global Inside local Outside local Outside global --- 10.0.22.50 188.8.131.52 --- --- icmp 10.0.22.50:2 184.108.40.206:2 220.127.116.11:2 18.104.22.168:2 Total number of translations: 2
DCA-ROUCDCVPN01# sh ip nat statistics Total active translations: 2 (1 static, 1 dynamic; 1 extended) Outside interfaces: Virtual-Access1, Virtual-Template1, Virtual-Template2 Inside interfaces: GigabitEthernet0/0/2 Hits: 213179 Misses: 28 Expired translations: 14 Dynamic mappings: -- Inside Source [Id: 0] route-map RM-NAT-ISLP nat-limit statistics: max entry: max allowed 0, used 0, missed 0 In-to-out drops: 0 Out-to-in drops: 0 Pool stats drop: 0 Mapping stats drop: 0 Port block alloc fail: 0 IP alias add fail: 0 Limit entry add fail: 0
So nat is working properly for all ip packet, as Ip source 22.214.171.124 does not belong to access-list 168 the nat should not work !!!
I only want nat to work with packet matching acl 168.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...