Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
20
Helpful
16
Replies

Static Nat Route Map

jnewton83985
Level 1
Level 1

‎02-14-2022 02:32 PM - edited ‎02-14-2022 02:35 PM

I'm experiencing an issue with a route map that I can't figure out. I posted before about route maps however this is a different issue. Below is the configuration.

 

Static NAT 

ip nat inside source static 192.168.10.112 6.5.120.112 route-map NoNat

 

Sh route-map NoNat output:

route-map NoNat, permit, sequence 10
Match clauses:
ip address (access-lists): NAT-VPN
Set clauses:
Policy routing matches: 0 packets, 0 bytes

 

NAT-VPN Extended ACL

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any 

 

 

6.5.120.112 is used in several site-to-site VPNs and I stood up a new tunnel recently using only this IP on our LAN. The issue is, when the traffic from the other end of the tunnel tries to talk to 6.5.120.112, it does not work when this route-map is attached to the static NAT. As soon as I remove the route-map, communication takes place. I don't understand how this is possible considering the extended ACL is not referencing any subnet on the other end of the tunnel. Since no subnet in the encryption domain is listed in the extended ACL, traffic should be permitted and NAT will take place. I don't understand how this route map is impacting communication with this tunnel. 

 

Can someone help me make sense of this?

 

Labels:
16 Replies 16

Georg Pauwen
VIP
VIP

‎02-14-2022 02:51 PM

Hello,

 

I assume the networks you deny are the remote networks ?

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any

 

Try and change the 'ip any any' to:

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip 192.168.10.0 0.0.0.255 any

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 03:50 AM

@Georg Pauwen I'll give that a shot and let you know the outcome.

0 Helpful

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 10:59 AM

I tried what you recommend and it did the same thing, no change unfortunately. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to jnewton83985

‎02-15-2022 11:20 AM

Hello,

 

can you post the full running configuration of the router ?

0 Helpful

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 11:50 AM

Sure, I have attached the sh run and removed some info. I have temporarily removed the route-map from the static NAT.

 

 

Preview file
13 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to jnewton83985

‎02-15-2022 12:02 PM

Hello,

 

I don't see any VPN configuration, I assume you have removed all the crypto related stuff ? Are you usig legacy crypto maps, or VTIs ?

 

Either way, based on the additional information with regard to the remote subnets, change the access list to:

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
40 deny ip 192.168.10.0 0.0.0.255 10.47.29.0 0.0.0.255
50 deny ip 192.168.10.0 0.0.0.255 10.47.117.0 0.0.0.255
60 deny ip 192.168.10.0 0.0.0.255 10.6.150.0 0.0.0.255
70 permit ip 192.168.10.0 0.0.0.255 any

 

0 Helpful

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 12:11 PM

This 2911 sits behind an ASA and is connected to a 4500x core switch. The VPN configuration takes place on the ASA. The path this traffic is taking is as follows when the route map is removed.

 

  1. core switch, has default route to routers HSRP virtual IP so traffic goes to router
  2. Traffic hits HSRP active router and then hits ASA
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to jnewton83985

‎02-15-2022 11:25 AM

 

What is the remote subnet ? 

 

Jon

0 Helpful

jnewton83985
Level 1
Level 1
In response to Jon Marshall

‎02-15-2022 11:41 AM

Remote subnets are 10.47.29.10, 10.47.117.31, 10.6.150.160.

0 Helpful

Georg Pauwen
VIP
VIP
In response to jnewton83985

‎02-15-2022 11:47 AM

Hello,

 

I am lost to be honest. What are these networks then ?

 

--> I assume the networks you deny are the remote networks ?

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255

 

What are the subnet masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 ?

0 Helpful

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 11:55 AM - edited ‎02-15-2022 11:58 AM

The subnets listed in the extended ACL are in other site to site VPNs as this route map is applied to other static NATs. The masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 are all /32. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to jnewton83985

‎02-15-2022 12:08 PM

Hello,

 

can you post a schematic drawing of your entire topology ? It does not look like the router terminates any VPNs, so we need to see the rest of your network to get an understanding of what you are trying to accomplish.

0 Helpful

jnewton83985
Level 1
Level 1
In response to Georg Pauwen

‎02-15-2022 12:25 PM

Sent you a message. 

0 Helpful

jnewton83985
Level 1
Level 1

‎02-17-2022 07:52 AM

Is there a way to debug a route map? My only option on the 2911 is debug route-map api and I see no way to debug a named ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card