Re: static nat with route-map condition issues

joe19366 · ‎04-24-2009

Came upon this a few times recently, wondering if anyone has faced this beforeâ€¦

Has anyone noticed that if you make a static nat rule with a route-map exemption it works on certain routers, and ios versions but not on others??? take this config for instanceâ€¦.

Ip nat pool verizon 64.1.1.10 64.1.1.10 netmask 255.255.255.240

Ip nat inside source route-map nat pool verizon overload

Ip nat inside source static 10.10.1.2 64.1.1.2 route-map servers-nat extendable

route-map nat

match ip address 101

route-map servers-nat

match ip address 102

access-list 101 deny 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit 10.10.1.0 0.0.0.255 any

access-list 102 deny 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 102 permit host 10.10.1.2 any

What is happening is the SERVER at 10.10.1.2 is matching the pool and being natted the pool address instead of its static nat ip.. if I remove the "route-map servers-nat extendable" argument at the end of the static nat, of course it works...

I have the latest IOS on all the routers i'm doing this with...

Any suggestions?

Thanks,

Joe

#19366

Giuseppe Larosa · ‎04-25-2009

Hello Joe,

what if you write ACL 101 as:

access-list 101 deny ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 deny ip host 10.10.1.2 any

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

in this way host 10.10.1.2 is explicitly denied in ACL 101 and shouldn't be natted by the pool.

Hope to help

Giuseppe