06-13-2016 06:23 PM - edited 03-12-2019 07:21 AM
Dear experts,
Following is the topology
--------------gigabit int 1---CSR1KV----gigabit int 2-----------ec2
Through G1 interface, I have built an ipsec tunnel to other side using VTI configuration.
Under G2 interface, I have added PRB to match specific traffic and set interface tunnel 1 to send to tunnel.
Also I configure nat, g1 is nat inside while g2 is nat outside. I configure ip nat outside source static x.x.x.x x.x.x.x to translate ec2 address.
My requirement is that if ec2 send traffic to the other side, csr1kv should translate the source address first, then doing the tunnel encapsulation.
But while I tcpdump in the other side, I found the source address is not translated.
So I wonder does csr1kv do PBR before NAT in this scenario or not.
Thank you in advance
06-13-2016 10:47 PM
Hi,
here you can find table with order of operation if you are doing NAT:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html#topic1
06-14-2016 08:50 AM
Yeah, I'm quite confused because I have read the table before.
It says when packet transfer from nat outside port to nat inside port, csr will do nat first, then PBR.
But in my scenario, I found the nat hasn't translate the packet and PBR works before nat.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: