Re: Static Nat Route Map

jnewton83985 · ‎02-14-2022

I'm experiencing an issue with a route map that I can't figure out. I posted before about route maps however this is a different issue. Below is the configuration.

Static NAT

ip nat inside source static 192.168.10.112 6.5.120.112 route-map NoNat

Sh route-map NoNat output:

route-map NoNat, permit, sequence 10
Match clauses:
ip address (access-lists): NAT-VPN
Set clauses:
Policy routing matches: 0 packets, 0 bytes

NAT-VPN Extended ACL

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any

6.5.120.112 is used in several site-to-site VPNs and I stood up a new tunnel recently using only this IP on our LAN. The issue is, when the traffic from the other end of the tunnel tries to talk to 6.5.120.112, it does not work when this route-map is attached to the static NAT. As soon as I remove the route-map, communication takes place. I don't understand how this is possible considering the extended ACL is not referencing any subnet on the other end of the tunnel. Since no subnet in the encryption domain is listed in the extended ACL, traffic should be permitted and NAT will take place. I don't understand how this route map is impacting communication with this tunnel.

Can someone help me make sense of this?

Georg Pauwen · ‎02-14-2022

Hello,

I assume the networks you deny are the remote networks ?

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any

Try and change the 'ip any any' to:

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip 192.168.10.0 0.0.0.255 any

jnewton83985 · ‎02-15-2022

@Georg Pauwen I'll give that a shot and let you know the outcome.

jnewton83985 · ‎02-15-2022

I tried what you recommend and it did the same thing, no change unfortunately.

Georg Pauwen · ‎02-15-2022

Hello,

can you post the full running configuration of the router ?

jnewton83985 · ‎02-15-2022

Sure, I have attached the sh run and removed some info. I have temporarily removed the route-map from the static NAT.

Georg Pauwen · ‎02-15-2022

Hello,

I don't see any VPN configuration, I assume you have removed all the crypto related stuff ? Are you usig legacy crypto maps, or VTIs ?

Either way, based on the additional information with regard to the remote subnets, change the access list to:

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
40 deny ip 192.168.10.0 0.0.0.255 10.47.29.0 0.0.0.255
50 deny ip 192.168.10.0 0.0.0.255 10.47.117.0 0.0.0.255
60 deny ip 192.168.10.0 0.0.0.255 10.6.150.0 0.0.0.255
70 permit ip 192.168.10.0 0.0.0.255 any

jnewton83985 · ‎02-15-2022

This 2911 sits behind an ASA and is connected to a 4500x core switch. The VPN configuration takes place on the ASA. The path this traffic is taking is as follows when the route map is removed.

core switch, has default route to routers HSRP virtual IP so traffic goes to router
Traffic hits HSRP active router and then hits ASA

Jon Marshall · ‎02-15-2022

What is the remote subnet ?

Jon

jnewton83985 · ‎02-15-2022

Remote subnets are 10.47.29.10, 10.47.117.31, 10.6.150.160.

Georg Pauwen · ‎02-15-2022

Hello,

I am lost to be honest. What are these networks then ?

--> I assume the networks you deny are the remote networks ?

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255

What are the subnet masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 ?

jnewton83985 · ‎02-15-2022

The subnets listed in the extended ACL are in other site to site VPNs as this route map is applied to other static NATs. The masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 are all /32.

Georg Pauwen · ‎02-15-2022

Hello,

can you post a schematic drawing of your entire topology ? It does not look like the router terminates any VPNs, so we need to see the rest of your network to get an understanding of what you are trying to accomplish.

jnewton83985 · ‎02-15-2022

Sent you a message.

jnewton83985 · ‎02-17-2022

Is there a way to debug a route map? My only option on the 2911 is debug route-map api and I see no way to debug a named ACL.