cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
8
Replies

NAT + route-map

mattbauer
Level 1
Level 1

Hi All

I wonder if someone can help me with a NAT problem.

It's seems to be a relatively simple setup, but I cant get it to work properly.

Ive set up a simple lab as follows:

laptop1<-->fe0/1-router-fe0/0<-->laptop2

laptop1-eth1 = 1.1.1.100

laptop1-eth1:1 = 10.1.1.100

fe0/1 = 1.1.1.1

fe0/1 = 10.1.1.1 (secondary)

fe0/0 = 2.2.2.1

laptop2 = 2.2.2.100

Now, when laptop2 pings 1.1.1.100, I want the router to NAT the source into something (say 200.0.0.0/24).

But I *dont* want it to NAT when pinging 10.1.1.100.

So I figure I need a NAT rule with a route-map/access-list. Here is my config:

----------config-------------

int fa0/0

ip nat inside

!

int fa0/1

ip nat outside

!

ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat

!

access-list 101 permit ip any 1.1.1.0 0.0.0.255

!

route-map nat permit 10

match ip address 101

set ip next-hop 1.1.1.100

----------/config-------------

The thing is, the route-map seems to match (debug ip nat detail gives: "NAT: map match nat") but the actual NAT'ing does not take place

(there are no translations and tcpdump on laptop 1 shows original source IP address).

Have I missed something here?

TIA

8 Replies 8

Hi Matthew,

Do you want to use route-map commands to do nat operations?

I would not use a set ip next-hop command in this case.

For testing

ip nat inside source static network 2.2.2.0 200.0.0.0 /24 route-map nat

!

access-list 101 permit ip any 1.1.1.0 0.0.0.255

!

route-map nat permit 10

match ip address 101

Let's us know how things work out.

Thot

Hi Thot

Actually Ive tried not using the set ip next-hop also. Doesnt seem to have any effect either way.

If I dont use the route-map at all, the NAT works fine (for all packets), but putting in this simple route-map/access-list seems to kill the nat altogether.

Just to add some more info...

A "sho ip access-lists" shows that my access list is being matched

But a "show route-map" says:

"Policy routing matches: 0 packets, 0 bytes"

On the other hand, a "debug ip nat detail" says:

"NAT: map match nat" for every packet that is sent.

...but the final result is still the same. the packets arent being NAT'd for some reason.

Hi Matthew,

please post "debug ip nat detail" & "show ver" outputs here.

Kind Regards

Thot

Hi Matt,

Can you please provide o/p of "debug ip nat detail" as well as " sh ip nat translations" I think the problem lies in the port translation.

I cant confirm on this unless i get the outputs. Also, i'll try to simulate your scenario in my lab and let u know.

HTH.

Cheers,

Nikhil E.

Hi Guys

debugs and show commands attached.

Thanks for looking at this.

Hi Matthew,

I would recommend you to upgrade IOS to a new version that hardware supports.

I just read information you provided. It didn't make me completely clear about nat information as expected.

Let us know how things work out

Thot

Hi Thot

Yes, that was going to be my next step. I figured there may be something wrong with the sequence of events (routing/acl/nat/etc). Bug maybe?

But actually, I ran out of time and used a dedicated box for NAT'ing those specific networks instead of policy routing.

Would still be interested if anyone has a solution.

Thanks again.

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: