cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
20
Helpful
16
Replies
jnewton83985
Beginner

Static Nat Route Map

I'm experiencing an issue with a route map that I can't figure out. I posted before about route maps however this is a different issue. Below is the configuration.

 

Static NAT 

ip nat inside source static 192.168.10.112 6.5.120.112 route-map NoNat

 

Sh route-map NoNat output:

route-map NoNat, permit, sequence 10
Match clauses:
ip address (access-lists): NAT-VPN
Set clauses:
Policy routing matches: 0 packets, 0 bytes

 

NAT-VPN Extended ACL

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any 

 

 

6.5.120.112 is used in several site-to-site VPNs and I stood up a new tunnel recently using only this IP on our LAN. The issue is, when the traffic from the other end of the tunnel tries to talk to 6.5.120.112, it does not work when this route-map is attached to the static NAT. As soon as I remove the route-map, communication takes place. I don't understand how this is possible considering the extended ACL is not referencing any subnet on the other end of the tunnel. Since no subnet in the encryption domain is listed in the extended ACL, traffic should be permitted and NAT will take place. I don't understand how this route map is impacting communication with this tunnel. 

 

Can someone help me make sense of this?

 

16 REPLIES 16
Georg Pauwen
VIP Master

Hello,

 

I assume the networks you deny are the remote networks ?

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any

 

Try and change the 'ip any any' to:

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip 192.168.10.0 0.0.0.255 any

@Georg Pauwen I'll give that a shot and let you know the outcome.

I tried what you recommend and it did the same thing, no change unfortunately. 

Hello,

 

can you post the full running configuration of the router ?

Sure, I have attached the sh run and removed some info. I have temporarily removed the route-map from the static NAT.

 

 

Hello,

 

I don't see any VPN configuration, I assume you have removed all the crypto related stuff ? Are you usig legacy crypto maps, or VTIs ?

 

Either way, based on the additional information with regard to the remote subnets, change the access list to:

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
40 deny ip 192.168.10.0 0.0.0.255 10.47.29.0 0.0.0.255
50 deny ip 192.168.10.0 0.0.0.255 10.47.117.0 0.0.0.255
60 deny ip 192.168.10.0 0.0.0.255 10.6.150.0 0.0.0.255
70 permit ip 192.168.10.0 0.0.0.255 any

 

This 2911 sits behind an ASA and is connected to a 4500x core switch. The VPN configuration takes place on the ASA. The path this traffic is taking is as follows when the route map is removed.

 

  1. core switch, has default route to routers HSRP virtual IP so traffic goes to router
  2. Traffic hits HSRP active router and then hits ASA

 

What is the remote subnet ? 

 

Jon

Remote subnets are 10.47.29.10, 10.47.117.31, 10.6.150.160.

Hello,

 

I am lost to be honest. What are these networks then ?

 

--> I assume the networks you deny are the remote networks ?

 

10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255

 

What are the subnet masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 ?

The subnets listed in the extended ACL are in other site to site VPNs as this route map is applied to other static NATs. The masks for 10.47.29.10, 10.47.117.31, 10.6.150.160 are all /32. 

Hello,

 

can you post a schematic drawing of your entire topology ? It does not look like the router terminates any VPNs, so we need to see the rest of your network to get an understanding of what you are trying to accomplish.

Sent you a message. 

jnewton83985
Beginner

Is there a way to debug a route map? My only option on the 2911 is debug route-map api and I see no way to debug a named ACL.