02-14-2022 02:32 PM - edited 02-14-2022 02:35 PM
I'm experiencing an issue with a route map that I can't figure out. I posted before about route maps however this is a different issue. Below is the configuration.
Static NAT
ip nat inside source static 192.168.10.112 6.5.120.112 route-map NoNat
Sh route-map NoNat output:
route-map NoNat, permit, sequence 10
Match clauses:
ip address (access-lists): NAT-VPN
Set clauses:
Policy routing matches: 0 packets, 0 bytes
NAT-VPN Extended ACL
10 deny ip 192.168.10.0 0.0.0.255 10.4.9.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 174.53.0 0.0.255.255
30 deny ip 192.168.10.0 0.0.0.255 178.5.40.0 0.0.0.255
60 permit ip any any
6.5.120.112 is used in several site-to-site VPNs and I stood up a new tunnel recently using only this IP on our LAN. The issue is, when the traffic from the other end of the tunnel tries to talk to 6.5.120.112, it does not work when this route-map is attached to the static NAT. As soon as I remove the route-map, communication takes place. I don't understand how this is possible considering the extended ACL is not referencing any subnet on the other end of the tunnel. Since no subnet in the encryption domain is listed in the extended ACL, traffic should be permitted and NAT will take place. I don't understand how this route map is impacting communication with this tunnel.
Can someone help me make sense of this?
03-02-2022 10:24 AM
Bump.
03-03-2022 11:34 AM
Hello
You have multiple static routes with the same nexthop as your advertised default so they are really not required.
I assume 192.168.10.x / 10.1.21.x are not locally connected to this rtr and they reside internally being advertised by ospf
Regards your Nat
It seems you have quite a large inside global addressing 6.5.120.x for NAT can you confirm if the below is what you trying to achieve?
example:
route-map NONAT_HOST permit 10
match ip address NONAT
ip nat inside source static 192.168.10.100 6.5.120.100 route-map NoNat
ip nat inside source static 192.168.10.112 6.5.120.112 route-map NoNat
etc….
ip access-list extended NONAT
deny ip host 10.1.21.30 10.6.1.0 0.0.0.255
permit ip host 10.1.21.30 any <----- static nat this host for any traffic other than the above subnet
deny ip host 10.1.21.31 10.6.1.0 0.0.0.255
permit ip host 10.1.21.31 any <---- static nat this host for any traffic other than the above subnet
permit ip any host 10.205.13.7 <---- static nat any host connecting to this host
Now in the translation table you should have static entries for all above which should enable external hosts to connect to the inside hosts, which I assume you will have so this failure seems to relate to the route map logic.
So can you try the following:
ip access-list extended NONAT_new
permit ip host 10.1.21.30 10.6.1.0 0.0.0.255
permit ip host 10.1.21.31 10.6.1.0 0.0.0.255
route-map NONAT_HOST deny 5
match ip address NONAT_new
route-map NONAT_HOST permit 10
no match ip address NONAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide