Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Static and dynamic NAT

Hello

I have a problem with the rule that static NAT has higher priority then dynamic NAT, to be exactly that this rule doesn't work. I will explain it on example: I have LAN 10.10.10.0 /24 (LAN1), that will be dynamically NAT'ed to 20.20.20.1. There is also some Server with IP address 10.10.10.3 (local) and 20.20.20.3 (global). The second LAN (LAN2) has the network address 192.168.1.0 and the traffic between LAN1 and LAN2 should not be NAT'ed.StaticNATvpn.png

Now I write on R3:
! dynamic NAT list, NAT allways to 20.20.20.1 except for 192.168.1.0 /24 Network
access-list 122 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 10.10.10.0 0.0.0.255 any
! static NAT list: NAT allways to 20.20.20.3, except for LAN2
access-list 150 deny   ip host 10.10.10.3 192.168.1.0 0.0.0.255
access-list 150 permit ip host 10.10.10.3 any
ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static 10.10.10.3 20.20.20.3 route-map nonat
route-map nonat permit 10
match ip address 150
!
But without the line
access-list 122 deny ip host 10.10.10.3 any

whole traffic from 10.10.10.3 will be NAT'ed to 20.20.20.1 and not to 20.20.20.3!

How is it possible? Static NAT will be done first, and if the address 20.20.20.3 is already set (and it is set, because with the line "access-list 122 deny ip host 10.10.10.3 any" it works fine), why it will be NAT'ed again to 20.20.20.1?

thx

3 REPLIES
Community Member

Re: Static and dynamic NAT

hi mate

i think that the rule of your access list 150 is wrong.

if you want to make the traffic get into your lan 1 network so it should be in reverse.

that waht you wrote

access-list 150 deny   ip host 10.10.10.3 192.168.1.0 0.0.0.255
access-list 150 permit ip host 10.10.10.3 any

this is how it should be

access-list 150 deny   ip 192.168.1.0 0.0.0.255 host 10.10.10.3
access-list 150 permit any host 10.10.10.3

note: just check the formula cuz i use to ? mark

i hope this is helpful for you

Re: Static and dynamic NAT

Hi,

I see the situation that you're having and I agree with you that the static NAT should take precedence.

I'm thinking that the problem might be that you have a conditional static NAT (not a plain static NAT), and since both NAT rules depend on ACLs, the traffic from the server is actually checked against both rules. This is way if you deny the server from the dynamic rule then it works fine.

I know for a fact that static NAT takes precedence over dynamic NAT on ASAs, but even though it should be the same on routers, I believe routers have more problems with NAT.

As a test can you take out the condition (route-map) to the static NAT and see if it takes precedence?

I understand this is not the way you need it, but just to confirm the priority of the static NAT over dynamic.

I will try to lab this and let you know if the same thing happen to me.

Federico.

Community Member

Re: Static and dynamic NAT

You are right - the Router shows this behavior only with route-map, not with "plain" static NAT.

Is it now a bug, or works it as intended? Or may be the way I did it was not the correct one?

1616
Views
0
Helpful
3
Replies
CreatePlease to create content