01-20-2013 09:20 PM - edited 03-04-2019 06:47 PM
Hi,
I'm trying to understand if this route map NO_NAT setup is needed or a mistake.
There's a vpn range nat exemption that allows 192.168.10.0/24 and 192.168.254.0/24 to communicate and it's applied to Gi0/0. So why would the same route map need be applied to static nat statments?
Thanks.
ip local pool vpnpool 192.168.254.100 192.168.254.200
ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.185 805 9.x.y.z 805 extendable
ip nat inside source static tcp 192.168.10.186 806 9.x.y.z 806 extendable
ip nat inside source static tcp 192.168.10.111 810 9.x.y.z 810 extendable
ip nat inside source static tcp 192.168.10.187 850 9.x.y.z 850 extendable
ip nat inside source static tcp 192.168.10.126 5902 9.x.y.z 5902 extendable
ip nat inside source static udp 192.168.10.10 5901 9.x.y.z 5901 extendable
route-map NO_NAT permit 1
match ip address 125
access-list 125 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 125 permit ip 192.168.10.0 0.0.0.255 any
Solved! Go to Solution.
01-21-2013 09:49 PM
Hello Lcaruso,
I had looked again your first post and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.
ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable
To answer whether these three route-map are necessary, I lab it up and found that:
1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.
2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on the static nat.
01-20-2013 10:00 PM
Hi,
I believe route-map in static NAT means users from 192.168.254.0/24 subnet are not allowed to access to 192.168.10.104 server espicially to HTTP/HTTPS/SMTP services.
But will allow to access to the server from the Internet.
Hope it will help.
Best regards,
Abzal
01-20-2013 10:14 PM
"I believe route-map in static NAT means users from 192.168.254.0/24 subnet are not allowed to access to 192.168.10.104 server espicially to HTTP/HTTPS/SMTP services.
But will allow to access to the server from the Internet."
While, from my understanding, the above route-map and ACL 125 means when traffic from 192.168.10.0/24 to 192.168.254.0/24, Do not change the source ip, while for the rest of traffic, change the source to interface G0/0 ip.
The static NAT is required if your are hosting some application, and want them to be accessible from internet via certain port.
Regards
Yaoxie
01-21-2013 09:36 AM
Hi Yaoxie. Thanks for your reply.
I have to agree this seems the likely case, so I guess this means when doing PAT, you have to add the nat exemption again even if it was originally defined on the interface.
01-21-2013 09:33 AM
Thanks for taking time to reply. I think Yaoxie might be correct in this case.
01-21-2013 09:49 PM
Hello Lcaruso,
I had looked again your first post and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.
ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable
To answer whether these three route-map are necessary, I lab it up and found that:
1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.
2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on the static nat.
01-22-2013 01:19 PM
Hi Yaoxie,
Many thanks for getting to the bottom of this. I really appreciate your lab efforts in order to answer this question correctly and completely.
Nice job!!
Regards,
Larry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide