Hi Guys,

I have a question regarding the order of the "ip nat inside" statements on an IOS router. We have a situation where a network 192.168.1.0/24 needs to get to the internet and therefore we have the overload statement out Dialer. Then we have a IPSEC site-to-site VPN to our DC where we NAT exempt traffic from 192.168.1.0/24 to 10.0.0.0/8 (most of the DC and MPLS sites found out another path in the DC). This works, but there is a single subnet (10.201.0.0/16) that does not have a route to 192.168.1.0/24, and we cannot get the route added. We therefore need to Hide NAT behind a range that the remote site knows how to get to (remote site has 10.0.0.0/8 going to DC). We therefore Hide NAT behind 10.64.98.0/27. I know a Pool probably isn't required here but was done this way by another Engineer.

My question is, what order would it look at the NAT statements? If it always chooses the first one, everything to 10.0.0.0/8 will get NAT exempted, including the Singapore remote site. If it chooses the second one first, then move onto the first one, everything will work. But what is this order in IOS? Top down in the running-config? Pool before Dialer? Overload last?

Please see config below:

ip nat pool sing_nat 10.64.98.0 10.64.98.31 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 pool sing_nat
ip route 0.0.0.0 0.0.0.0 Dialer0

ip access-list extended Agility_VPN
permit ip host 192.168.1.0 10.0.0.0 0.0.0.255
ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended NAT_ACL_Singapore
permit ip 192.168.1.0 0.0.0.255 10.201.0.0 0.0.255.255
!
route-map SDM_RMAP_1 permit 1
match ip address NAT_ACL
!
route-map SDM_RMAP_2 permit 1
match ip address NAT_ACL_Singapore

Thanks guys

Grant