Using Route maps with multiple outside interfaces

3msands · ‎05-27-2004

I need to nat traffic from one vlan to multiple outside interfaces on a 6509 switch with msfc2. I think the following commands will work but I wanted to make sure. Is there a way to perform the same function with an overload command instead of a pool?

!!set the pools up for nat

ip nat pool-248 10.11.251.1 10.11.251.254 prefix-lenght 22

ip nat pool-244 10.11.247.1 10.11.247.254 prefix-lenght 22

ip nat pool-236 10.11.239.1 10.11.239.254 prefix-lenght 22

ip nat pool-232 10.11.235.1 10.11.235.254 prefix-lenght 22

ip nat pool-11 10.11.11.1 10.11.11.254 prefix-lenght 22

ip nat pool-4 10.11.7.1 10.11.7.254 prefix-lenght 22

!

!!establish dynamic source translation using the

!!route-map

ip nat inside source route-map MAP-248 pool pool-248

ip nat inside source route-map MAP-244 pool pool-244

ip nat inside source route-map MAP-236 pool pool-236

ip nat inside source route-map MAP-232 pool pool-232

ip nat inside source route-map MAP-11 pool pool-11

ip nat inside source route-map MAP-4 pool pool-4

!!set inside interfaces

interface Vlan12

ip nat inside

!!set Outside interfaces

interface Vlan248

ip nat outside

interface Vlan244

ip nat outside

interface Vlan236

ip nat outside

interface Vlan232

ip nat outside

interface Vlan4

ip nat outside

!!match traffic based on source and destination

!!addresses

access-list 248 permit ip 172.16.0.0 0.0.255.255 10.11.248.0 0.0.3.255

access-list 248 permit ip 192.168.0.0 0.0.255.255 10.11.248.0 0.0.3.255

access-list 244 permit ip 172.16.0.0 0.0.255.255 10.11.244.0 0.0.3.255

access-list 244 permit ip 192.168.0.0 0.0.255.255 10.11.244.0 0.0.3.255

access-list 236 permit ip 172.16.0.0 0.0.255.255 10.11.236.0 0.0.3.255

access-list 236 permit ip 192.168.0.0 0.0.255.255 10.11.236.0 0.0.3.255

access-list 232 permit ip 172.16.0.0 0.0.255.255 10.11.232.0 0.0.3.255

access-list 232 permit ip 192.168.0.0 0.0.255.255 10.11.232.0 0.0.3.255

access-list 4 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.3.255

access-list 4 permit ip 192.168.0.0 0.0.255.255 10.11.4.0 0.0.3.255

!

route-map MAP-248 permit 10

route-map MAP-244 permit 10

route-map MAP-236 permit 10

route-map MAP-232 permit 10

route-map MAP-4 permit 10

!

match ip address 248

match ip address 244

match ip address 236

match ip address 232

match ip address 4

Richard Burts · ‎05-27-2004

If I understood better what your requirements were I would be more comfortable saying if there was a better way to do it. I am not clear that you really need to have a separate pool for each outbound interface, unless there is something in the requirements that calls for it. I am also not sure that you need separate route maps per interface, unless there is something in the requirements that calls for it.

A couple of comments about mechanics: you configure all the route-maps (... permit 10) and then you list all the match statements. If you took this and pasted it into a config you would wind up with 4 maps with no match clauses and one route map with 5 matches.

Also while I admire your attempt to make things clear by matching access lists to the interface vlan number, unfortunately access lists in the range 200-299 are for filtering Ethernet type codes not for filtering IP addresses.

HTH

Rick

3msands · ‎05-27-2004

good catch on the access-list number. I was trying to keep things clear and I forgot the need to remain under 100.

A bit of explaining to do here.

I have a network that have a number of multihomed machines. Unfortunatly these machines can reach the 172.16.0.0 network

via either interface. I need to hide the traffic from this network bound for the at least some of the vlans to prevent

an asymetrical routing issue where the machine attempts to respond to the traffic on another interface than it was

originally received upon.

I assumed that I would need to have the nat'd address be local to the machines subnet so that they would be able to respond

to the nat'd address without issue. I'm not sure I understand what you are saying regarding the permit statements.

Unfortunatly the cisco documentation is long on examples and short on explanations so this is a case of monkey see monkey do. :-)

Would the following config work to eliminate the need for pools?

!

!!establish source translation using the

!!route-map

ip nat inside source route-map MAP-248 interface Vlan248 overload

ip nat inside source route-map MAP-244 interface Vlan244 overload

ip nat inside source route-map MAP-236 interface Vlan236 overload

ip nat inside source route-map MAP-232 interface Vlan232 overload

ip nat inside source route-map MAP-4 interface Vlan4 overload

!!set inside interfaces

interface Vlan12

ip nat inside

!!set Outside interfaces

interface Vlan248

ip nat outside

interface Vlan244

ip nat outside

interface Vlan236

ip nat outside

interface Vlan232

ip nat outside

interface Vlan4

ip nat outside

!!match traffic based on source and destination

!!addresses

access-list 48 permit ip 172.16.0.0 0.0.255.255 10.11.248.0 0.0.3.255

access-list 48 permit ip 192.168.0.0 0.0.255.255 10.11.248.0 0.0.3.255

access-list 44 permit ip 172.16.0.0 0.0.255.255 10.11.244.0 0.0.3.255

access-list 44 permit ip 192.168.0.0 0.0.255.255 10.11.244.0 0.0.3.255

access-list 36 permit ip 172.16.0.0 0.0.255.255 10.11.236.0 0.0.3.255

access-list 36 permit ip 192.168.0.0 0.0.255.255 10.11.236.0 0.0.3.255

access-list 32 permit ip 172.16.0.0 0.0.255.255 10.11.232.0 0.0.3.255

access-list 32 permit ip 192.168.0.0 0.0.255.255 10.11.232.0 0.0.3.255

access-list 4 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.3.255

access-list 4 permit ip 192.168.0.0 0.0.255.255 10.11.4.0 0.0.3.255

!

route-map MAP-248 permit 10

route-map MAP-244 permit 10

route-map MAP-236 permit 10

route-map MAP-232 permit 10

route-map MAP-4 permit 10

!

match ip address 48

match ip address 44

match ip address 36

match ip address 32

match ip address 4

Richard Burts · ‎05-27-2004

I think it is making progress but still 2 issues. Access lists from 1 to 99 (where you have your access lists now) are standard access lists. To check both source and destination you need extended access lists (which is the range 100 to 199 or also the range 2000 to 2699). So you need to change the numeric range of the list numbers. Or you could consider used named extended access lists. The advantage of a named list is that you could retain the naming/numbering relationship that you were trying at first. For example ip access-list extended translate_248 for the list checking vlan 248.

The other issue is simple mechanics: you have

route-map MAP-248

route-map MAP-244

route-map MAP-236

etc followed by

match ip address 48

match ip address 44

match ip address 36

etc

what you need is

route-map MAP-248

match ip address 48

route-map MAP-244

match ip address 44

route-map MAP-236

match ip address 36

HTH

Rick

3msands · ‎05-27-2004

Ahh this makes a lot more sense to me. so the following should work. I'm assuming that you thought the change to an overload statement instead of a pool would work ok as well.

!!establish source translation using the

!!route-map

ip nat inside source route-map MAP-248 interface Vlan248 overload

ip nat inside source route-map MAP-244 interface Vlan244 overload

ip nat inside source route-map MAP-236 interface Vlan236 overload

ip nat inside source route-map MAP-232 interface Vlan232 overload

ip nat inside source route-map MAP-4 interface Vlan4 overload

!!set inside interfaces

interface Vlan12

ip nat inside

!!set Outside interfaces

interface Vlan248

ip nat outside

interface Vlan244

ip nat outside

interface Vlan236

ip nat outside

interface Vlan232

ip nat outside

interface Vlan4

ip nat outside

!!match traffic based on source and destination

!!addresses

ip access-list extended translate_248 permit ip 172.16.0.0 0.0.255.255 10.11.248.0 0.0.3.255

ip access-list extended translate_248 permit ip 192.168.0.0 0.0.255.255 10.11.248.0 0.0.3.255

ip access-list extended translate_244 permit ip 172.16.0.0 0.0.255.255 10.11.244.0 0.0.3.255

ip access-list extended translate_244 permit ip 192.168.0.0 0.0.255.255 10.11.244.0 0.0.3.255

ip access-list extended translate_236 permit ip 172.16.0.0 0.0.255.255 10.11.236.0 0.0.3.255

ip access-list extended translate_236 permit ip 192.168.0.0 0.0.255.255 10.11.236.0 0.0.3.255

ip access-list extended translate_232 permit ip 172.16.0.0 0.0.255.255 10.11.232.0 0.0.3.255

ip access-list extended translate_32 permit ip 192.168.0.0 0.0.255.255 10.11.232.0 0.0.3.255

ip access-list extended translate_4 permit ip 172.16.0.0 0.0.255.255 10.11.4.0 0.0.3.255

ip access-list extended translate_4 permit ip 192.168.0.0 0.0.255.255 10.11.4.0 0.0.3.255

!

route-map MAP-248 permit 10

match ip address translate_248

route-map MAP-244 permit 10

match ip address translate244

route-map MAP-236 permit 10

match ip address translate_236

route-map MAP-232 permit 10

match ip address translate_232

route-map MAP-4 permit 10

match ip address translate_4

Thanks for all the help. This is a real life saver for me.