Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

Static NAT Translation with Route-Map

Jason Ryan
Level 1
Level 1

‎06-13-2013 07:57 AM - edited ‎03-04-2019 08:11 PM

Hello,

Seemingly simple question here.

I have a internal host (192.168.100.100) that needs to be statically NATed to a external address (222.222.222.222) EXCEPT when going to a subnet across our Site to Site VPN tunnel (192.168.150.0).

This was my setup:

Ip access-list extended NAT-RULE

deny ip host 192.168.100.100 192.168.150.0 0.0.0.255

permit ip host 192.168.100.100 any

permit tcp host 192.168.100.100 any

permit udp host 192.168.100.100 any

Route-map NAT-MAP permit 10

ip match address NAT-RULE

Ip nat inside source static 192.168.100.100 222.222.222.222 route-map NAT-MAP

After putting this in, the host (192.168.100.100) was instead router over my overloaded WAN address (222.222.222.221). I can verify this in the show ip nat translations.

Do I need an extendable command on this?

Currently the setup is:

ip nat inside source static 192.168.100.100 222.222.222.222 extendable

This is working great (with exception of going to the VPN subnet).

Any other reason it was NAT to the overload interface?

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-21-2013 11:20 PM

Hello Jason,

unfortunately you haven't provided the whole NAT configuration we can guess that there is a NAT overload statement using the WAN interface as the public address.

If this is true also the NAT overload statement needs to use an extended ACL and to deny traffic between specific host and destinations that are reached via the VPN tunnel.

If you do so you should be able to see the correct behaviour

Now you are falling back from static NAT to NAT overload for the deny statement in the used route-map

For better troubleshooting use a different ACL and a different route-map to modify the NAT overload statement

Hope to help

Giuseppe

0 Helpful

Jason Ryan
Level 1
Level 1
In response to Giuseppe Larosa

‎06-22-2013 06:55 AM

I apoligize for that.

There is a NAT rule on the WAN interface with overload:

ip nat inside source list NAT interface GigabitEthernet0/1 overload

Extended IP access list NAT

    10 deny ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255 (43931028 matches)

    20 permit ip 192.168.100.0 0.0.0.255 any (7221351 matches)

I have the rule exclude any traffic from my LAN going to the VPN LAN which works for all cases accept for the static rule Im trying to create.

Thoughts?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card