Solved: Re: NAT route map

lcaruso · ‎01-20-2013

Hi,

I'm trying to understand if this route map NO_NAT setup is needed or a mistake.

There's a vpn range nat exemption that allows 192.168.10.0/24 and 192.168.254.0/24 to communicate and it's applied to Gi0/0. So why would the same route map need be applied to static nat statments?

Thanks.

ip local pool vpnpool 192.168.254.100 192.168.254.200
ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.185 805 9.x.y.z 805 extendable
ip nat inside source static tcp 192.168.10.186 806 9.x.y.z 806 extendable
ip nat inside source static tcp 192.168.10.111 810 9.x.y.z 810 extendable
ip nat inside source static tcp 192.168.10.187 850 9.x.y.z 850 extendable
ip nat inside source static tcp 192.168.10.126 5902 9.x.y.z 5902 extendable
ip nat inside source static udp 192.168.10.10 5901 9.x.y.z 5901 extendable
route-map NO_NAT permit 1
 match ip address 125
access-list 125 deny   ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 125 permit ip 192.168.10.0 0.0.0.255 any

XIE YAO · ‎01-21-2013

Hello Lcaruso,

I had looked again your first post and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

To answer whether these three route-map are necessary, I lab it up and found that:

1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.

2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on the static nat.

View solution in original post

Abzal · ‎01-20-2013

Hi,

I believe route-map in static NAT means users from 192.168.254.0/24 subnet are not allowed to access to 192.168.10.104 server espicially to HTTP/HTTPS/SMTP services.

But will allow to access to the server from the Internet.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

XIE YAO · ‎01-20-2013

"I believe route-map in static NAT means users from 192.168.254.0/24 subnet are not allowed to access to 192.168.10.104 server espicially to HTTP/HTTPS/SMTP services.

But will allow to access to the server from the Internet."

While, from my understanding, the above route-map and ACL 125 means when traffic from 192.168.10.0/24 to 192.168.254.0/24, Do not change the source ip, while for the rest of traffic, change the source to interface G0/0 ip.

The static NAT is required if your are hosting some application, and want them to be accessible from internet via certain port.

Regards

Yaoxie

lcaruso · ‎01-21-2013

Hi Yaoxie. Thanks for your reply.

I have to agree this seems the likely case, so I guess this means when doing PAT, you have to add the nat exemption again even if it was originally defined on the interface.

lcaruso · ‎01-21-2013

Thanks for taking time to reply. I think Yaoxie might be correct in this case.

XIE YAO · ‎01-21-2013

Hello Lcaruso,

I had looked again your first post and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

To answer whether these three route-map are necessary, I lab it up and found that:

1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.

2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on the static nat.

lcaruso · ‎01-22-2013

Hi Yaoxie,

Many thanks for getting to the bottom of this. I really appreciate your lab efforts in order to answer this question correctly and completely.

Nice job!!

Regards,

Larry