That was a typo.....it is

permit ip 172.19.150.0 0.0.0.255 any

I fixed it on the Post.

Any more thoughts?

Paul,

I do have a second stack but it is powered off.  The mapping ID are the same on both sides.  I will exclude the static from the dynamic....just have not done it yet.

to recap.....when I remove the Route map in the static route it works....so I feel like my route map is written incorrectly because one I add it noting it natted 1 to 1.

Feels like my route map or its nested ACL is just excluding every thing.

Hello

---

@Wan_Whisperer wrote:

to recap.....when I remove the Route map in the static route it works....so I feel like my route map is written incorrectly because one I add it noting it natted 1 to 1.

 

Feels like my route map or its nested ACL is just excluding every thing.

Is my Route Map written incorrectly?  (PS I see no hits on my ACL under the route map

---

ip nat inside source static 172.19.150.125 191.XXX.XXX.49 route-map Static_Nat_RM redundancy 1 mapping-id 6

As I said the above doesn't seem a valid nat statement however saying that I haven't used route-maps for static nat?.
 
When it reads something like this which you say works?:
ip nat inside source static 172.19.150.125 191.XXX.XXX.49

I couldn't see anything wrong with your configuration but haven't done this in a while so I did a quick VIRL lab and surprisingly I got exactly the same results as you. 

My understanding was static NAT statements should take precedence and I am sure this used to work but whatever I tried it just seemed to use the dynamic NAT statement for all translations. 

I am using IOS 15.6 in VIRL so not sure whether this will work for you but after a lot of testing I did get it working but using route maps for both the dynamic and the static NAT statements eg. 

ip nat pool Pool1 191.XXX.XXX.1 191.XXX.XXX.1 netmask 255.255.255.0
ip nat inside source static 172.19.150.125 191.XXX.XXX.49 route-map RNAT redundancy 1 mapping-id 6
ip nat inside source static 172.19.150.190 191.XXX.XXX.93 route-map RNAT redundancy 1 mapping-id 15

ip nat inside source route-map SNAT pool Pool1 redundancy 1 mapping-id 1 overload

route-map RNAT permit 10
match ip address Static_Nat_ACL

ip access-list extended Static_Nat_ACL
deny ip host 172.19.150.190 103.XXX.XXX.0 0.0.3.255
permit ip 172.19.150.0 0.0.0.255 any

route-map SNAT permit 10
match ip address NATSource

ip access-list extended NATSource
permit ip 172.19.150.0 0.0.0.255 any

note you can use any names you want for your route maps but believe it or not the route map you use for you static NAT must be alphabetically lower than the route map used for dynamic NAT so RNAT for static and SNAT for dynamic is fine but not the other other way round. 

I am sure there must be an easier way or I am missing something but can't tell what and the behaviour definitely seems to have changed since I last did this. 

Finally I have never used the "ip nat source route-map...." syntax before so you should read up on it if you are going to use it to make sure there aren't any catches etc. 

I may have another look at this over the weekend because it can't be this complicated. 

Jon

@Jon Marshall 
So this is valid nat statement? I have never need to uise route-maps with statics and cannot lab to test?

 ip nat inside source static 172.19.150.125 191.XXX.XXX.49 route-map RNAT redundancy 1 mapping-id 6

Hi Paul 

I didn't use the redundancy or mapping keywords but yes it is valid to use a route map with a static translation and as I say it used to just take precedence by default or at least that is the way I remember it. 

But in my tests I could not get it to work no matter what I did with the acls or the route map until I tried using route maps for both translations.

Definitely not what I expected to see. 

Jon

@Jon Marshall @Wan_Whisperer 
I've not used it myself to be honest for static nat I had no cause to just used ACLs  anyway i also manged to lab this and it works with this acl amendment using OP config minus redundancy x mapping-id x

ip access-list extended NATsource
deny ip host 172.19.150.190 any
deny ip host 172.19.150.125 any
permit ip 172.19.150.0 0.0.0.255 any

ip access-list extended Static_Nat_ACL
deny ip host 172.19.150.190 103.x.x.0 0.0.3.255
permit ip 172.19.150.0 0.0.0.255 any

Paul 

The requirement is that the host 172.19.150.190 should be translated to 191.x.x.93 unless the destination IP is from the 103.x.x.0 0.0.3.255 range which your solution does do. 

But if the destination IP is from the 103.x.x.0 0.0.3.255 range the 172.19.150.190 IP should be translated to an IP from the NAT pool but that won't happen in your setup because you are denying all IP traffic from 172.19.150.190 in the acl. 

I did a quick VIRL lab with your configuration and it tested as above. 

Like I say it should just work as in the configuration provided by the OP because if there is no match in the static NAT acl it should just match the permit in the other acl but what seems to happen is all traffic is matching that acl. 

Perhaps it is working in your lab though ie. what happens if you try to ping a 103.x.x.x IP ? 

Jon

Hello Jon
Its denied for host 172.19.150.190 only

sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 191.191.191.49 172.19.150.125 --- ---
--- 191.191.191.93 172.19.150.190 --- ---

ping 103.103.103.2 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 103.103.103.2, timeout is 2 seconds:
Success rate is 0 percent (0/2)

ping 8.8.8.8 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 28/36/44 ms

telnet 8.8.8.8
Trying 8.8.8.8 ... Open

sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 191.191.191.93:12 172.19.150.190:12 8.8.8.8:12 8.8.8.8:12
icmp 191.191.191.93:14 172.19.150.190:14 8.8.8.8:14 8.8.8.8:14
tcp 191.191.191.93:48908 172.19.150.190:48908 8.8.8.8:23 8.8.8.8:23
--- 191.191.191.49 172.19.150.125 --- ---
--- 191.191.191.93 172.19.150.190 --- ---

Hi Paul 

He doesn't want it denied, he wants it to use the NAT pool. 

Jon

Hello Jon

Understand now - mis-interpreted the OP , so keeping with your last configuration post

What I cannot understand at present is the nat logic ( not route-map logic), The order of operation using route map's with names seems to work only alphabetically but if you use route-maps with numbers then numerically it doesn't seem to be sequentially true and the PAT part of this nat configuration works with either a lower or higher number, it could be gns3 providing this false reading but not so sure?

route-map RNAT
match ip address Static_Nat_ACL

route-map SNAT  <----------------------doesn't work unless this is higher than R
match ip address NATSource

.

route-map 10
match ip address Static_Nat_ACL

route-map 5 <----------------------works either if this is higher or lower than 10
match ip address NATSource

Hi Paul

That is even more complicated :) 

Certainly not what I expected either in terms of having to use route maps for both and your findings as well. 

If I get the chance I will go back to VIRL and test using numbered route maps and see what happens. 

Jon