On the other hand, for

doug_3002 · ‎12-22-2014

OK, So i understand that this is a conditional static nat statement. If the route-map is true, then the translation is created. If the route map is false, the translation is not created. I also know what a PBR is. A routing table routes based on destination and PBR route based on source. I also know what the extandable keyword does...it allows you to use more than one port on a private ip address when doing static nat...basically.

Hower, either the syntax is incorrect or I am missunderstanding whats going on:

interface GigabitEthernet0/0

description #1 Internet

ip address 96.23.3.50 255.255.255.0

ip nat outside

!

interface GigabitEthernet0/1

description #2 Internet

ip address 96.25.16.11 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip policy route-map INET_HOSTS

!

interface Vlan11

ip address 192.168.11.1 255.255.255.0

ip policy route-map INET_HOSTS

!

interface Vlan12

ip address 192.168.12.1 255.255.255.0

ip policy route-map INET_HOSTS

!

route-map INET_HOSTS permit 10

match ip address INET_HOSTS

set ip next-hop 96.23.3.1

!

ip access-list extended INET_HOSTS

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip host 192.168.12.10 any

permit tcp host 192.168.10.15 eq smtp any

permit tcp host 192.168.10.15 eq 443 any

permit tcp host 192.168.10.23 eq www any

permit tcp host 192.168.10.23 eq 443 any

permit tcp host 192.168.10.50 eq 443 any

permit tcp host 192.168.10.60 eq 3389 any

!

ip nat inside source static tcp 192.168.10.50 80 96.23.3.51 80 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.50 443 96.23.3.51 443 route-map INET_HOSTS extendable

!

ip nat inside source static tcp 192.168.10.60 3389 96.23.3.51 3389 route-map INET_HOSTS extendable

!

ip nat inside source static tcp 192.168.10.23 80 96.23.3.52 80 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.23 443 96.23.3.52 443 route-map INET_HOSTS extendable

!

ip nat inside source static tcp 192.168.10.15 25 96.23.3.53 25 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.15 80 96.23.3.53 80 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.15 110 96.23.3.53 110 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.15 443 96.23.3.53 443 route-map INET_HOSTS extendable

ip nat inside source static tcp 192.168.10.15 993 96.23.3.53 993 route-map INET_HOSTS extendable

This is my explanation:

This is how it reads: when a user tries to RDP into 192.168.10.60, A static translation is formed from the private IP of 192.168.10.60 to the public IP of 96.23.3.51. This kinda seems backwords to me though. It seems like it should read, when a user tries to RDP into the public IP of 96.23.3.51 then, a translation is made to a backend server with ip of 192.168.10.60. IT almost seems like there is no need for a condition, but how does the PBR ties into all this?

vamikhai · ‎12-23-2014

Hello.

PBR is delivering the packet to the correct outgoing interface, but I'm not sure why do you need PBR in case of single NAT outside interface.

Why do you use single route-map for PBR and NAT? In case of 2 ISPs you would better to craft NAT route-map with "match interface", while your PBR should be using track object (if you use load-sharing).

doug_3002 · ‎12-23-2014

Vamikhai,

I didnt impliment this, like you, I am just trying to understand why its configured this way and what its actually doing.

Vasilii Mikhailovskii · ‎12-23-2014

Clear.

Then, in theory, for 2 ISP links you have following:

- you need to route traffic via correct interface (may be done with floating static in case Active/Passive or with PBR in case of load-sharing);

- you need to do proper NAT translation, as if you do NAT translation into ISP1 interface, but send packet via ISP2 - this won't work (IP-address spoofing is filtered on ISP PE boxes).

Let us know if you have other question.

paul driver · ‎12-23-2014

Hello

In your case PBR is being used to policy route traffiic originating from Vlan 10 with a route map match criteria of INET-HOSTS and to forward that traffic to a next hop of 96.23.3.1

The Natng is also using the same extended acl and route-map to translate one to one static prefixes to either 96.23.3.52/53

Now my understanding of Nat -

When it is used you need to consider the NAT order preference and this is different from inside/outside and outside/inside traffic

Inside/Outside Nat checks for a valid path in this case PBR is being performed and if that defined next hop is valid and is in the routing table it will be sent to that destination via nat translation

As for the return path Outside/inside translation is done PRIOR to the route table being considered so it's natting is done first then a route table lookup is performed

As for domain-less natting ( nvi nat - IP nat enable ) two route table lookups are performed - before and after nat translation

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

doug_3002 · ‎12-23-2014

Paul,

my understanding of PBR and how it works in this case is that traffic from vlan 10 is forwarded out that particular interface. But it is only traffic that specifically matches that criteria. SMTP and https traffic from .15, http/https traffic from .23 and https traffic from 10.50. All other traffic will use the routing table. This I get. My concern though is that why is it used on vlan 11? I can see why vlan 10 because host 10.50 is in vlan 10 and I can see why vlan 12 because host 12.10 is in vlan 12 but why vlan 11. It doesnt seem like policy routing will every have any hits for users in vlan 11.

As far as NAT, if I am understanding you correctly, you are saying for inside to outside, then the route-map is used, but for outside to inside the route map is not used? so basically when host .15 is using http/https going out G0/0, then a static map is created to force them to use the IP of 96.23.3.53 instead of .50 which is assined to the G0/0 interface. by the way, there was a typo, 96.23.3.1 is actually 96.23.3.51 and is on the same interface as G0/0...its not specifically assigned but its in the same subnet, I have (.50 - 55) for that interface. On the other hand, for outside to inside traffic, the route-map is not used just that static nat. My question is then, I thought that static map is only for outside to inside. I thought dynamic map is for inside to outside?

Jon Marshall · ‎12-23-2014

On the other hand, for outside to inside traffic, the route-map is not used just that static nat

The route map is used for the static NAT but not for PBR (because the traffic arrives on the outside interface and PBR isn't applied there).

From the configuration you have posted there appears to be no need for either.

Because the destination is "any" in the route map acl there doesn;t seem to be a reason to use conditional NAT.

And because "ip nat outside" is only applied to the gi0/0 interface unless the other ISP is doing NAT for you, as vamikhai says, there appears to be no need for PBR.

Perhaps if we saw the full configuration it would make more sense but from what you have posted it doesn't make a lot of sense to me.

Jon

doug_3002 · ‎12-23-2014

Jon,

yeah...there are 3 interfaces and ip nat outside is on all 3. The first and third interfaces are used primarily for IPSec VPN, SSL VPN, and DMVPN. The 2nd interface is the only interface with dynamic nat overload and a default route. So it does make sense to use PBR. But you are right about the conditional nat, I don't really see a need for that.

David

Conditional Static nat with route-maps