Re: NAT Order of Operations Question...

lrm001c474 · ‎12-08-2009

Greetings,

I am having an issue with a NAT configuration on a Cisco IOS router, see below for a simplified configuration example:

ip nat pool Test-POOL 9.9.9.9 9.9.9.9 netmask 255.255.255.0

ip nat inside source route-map Test-MAP pool Test-POOL overload
ip nat inside source static 1.1.1.1 8.8.8.8

ip access-list extended Test-NAT-ACL-1

permit ip host 1.1.1.0 host 10.10.10.10

route-map Test-MAP permit 10
match ip address Test-NAT-ACL-1

Traffic destined to 10.10.10.10 enters the inside interface of the router destined to a network residing through the outside interface of the router sourced with IP address 1.1.1.1. The router ends up NAT'ing the source IP address to 8.8.8.8 instead of 9.9.9.9.

Why does the router use the static NAT translation versus the dynamic NAT translation? Will the router always take precedence on static definitions over dynamic definitions?

Thanks.

pompeychimes · ‎12-08-2009

Change this permit ip host 1.1.1.0 to a valid host IP or network.

James

lrm001c474 · ‎12-08-2009

Sorry, that was a type on my part.

Is is supposed to be 1.1.1.0 0.0.0.255.

Thanks.

pompeychimes · ‎12-08-2009

Do this...

ip access-list extended NONAT
deny ip 1.1.1.0 0.0.0.255 host 10.10.10.10

permit ip any any

ip nat inside source static 1.1.1.1 8.8.8.8 route-map NONAT extendable

Jon Marshall · ‎12-08-2009

lrm001c474 wrote:
Greetings,
     I am having an issue with a NAT configuration on a Cisco IOS router, see below for a simplified configuration example:
ip nat pool Test-POOL 9.9.9.9 9.9.9.9 netmask 255.255.255.0
ip nat inside source route-map Test-MAP pool Test-POOL overload
ip nat inside source static 1.1.1.1 8.8.8.8
ip access-list extended Test-NAT-ACL-1
permit ip host 1.1.1.0 host 10.10.10.10
route-map Test-MAP permit 10
match ip address Test-NAT-ACL-1
     Traffic destined to 10.10.10.10 enters the inside interface of the router destined to a network residing through the outside interface of the router sourced with IP address 1.1.1.1.  The router ends up NAT'ing the source IP address to 8.8.8.8 instead of 9.9.9.9.
     Why does the router use the static NAT translation versus the dynamic NAT translation?  Will the router always take precedence on static definitions over dynamic definitions?
Thanks.

Static NAT translations take precedence over dynamic NAT translatons. I suspect this is so you can use the same public IP address to statically map some port entries and then use the rest of the ports for PAT.

Jon

johnsos · ‎06-05-2010

Where is the precedence order documented in the Cisco documentation?

belovell · ‎06-05-2010

johnsos wrote:

Where is the precedence order documented in the Cisco documentation?

Closest thing I am aware of is..

http://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K10811491

Check number 8

When static and dynamic NAT are configured together, static NAT takes precedence if a traffic flow matches both the configurations. Otherwise, dynamic NAT is used to create a new entry in the table and translate the traffic.

-Ben

johnsos · ‎06-05-2010

This is what I was looking for. If this is the only reference it makes it kind if hard for those newbies to learn in my opinion if they have to find the answers in TAC cases. I guess you could consider TAC cases as documentation however during a CCIE test those expert knowledge tidbits are not available to you, so I hear.

pompeychimes · ‎06-05-2010

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

johnsos · ‎06-05-2010

This link is good because it does show when the router takes action on the NAT as opposed to an access-list etc. however it falls short in telling you what order is used when the router has to determine the action to use when both a static and dynamic NAT entries are matched.