cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1829
Views
35
Helpful
7
Replies

Static Nat with Route-Map

jnewton83985
Level 1
Level 1

Wanting to make sure I understand this correctly. 

 

Static NAT:  ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat

Route Map: nonat -> references ACL nat-test

ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255

                      permit ip any any

 

I'm not sure what happens to the denied traffic in the ACL since it's applied to a 'route-map'.

 

 

1 Accepted Solution

Accepted Solutions

Hello


@jnewton83985 wrote:
Static NAT:  ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat

Route Map: nonat -> references ACL nat-test

ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255

                      permit ip any any

The above syntax isn’t the correct, It looks you want to use a static nat and append it to a 'route-map' so deny some communication however the ACL doesn’t relate to the inside local address (192.168.10.111) in the NAT statement.


With the below nat statement which is I believe it is something similar to your OP, then the rtr would match on the specific deny ace within the ACL and no nat translation would be made as such no communication would happen to/from the src/des hosts, all other traffic from that local host would be translated.


access-list 100 deny ip host 192.168.10.111 host 8.8.8.8
access-list 100 permit ip any any

route-map nonat
match ip address 100

ip nat inside source static 192.168.10.111 6.1.1.111 route-map nonat

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Hello


@jnewton83985 wrote:
Static NAT:  ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat

Route Map: nonat -> references ACL nat-test

ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255

                      permit ip any any

The above syntax isn’t the correct, It looks you want to use a static nat and append it to a 'route-map' so deny some communication however the ACL doesn’t relate to the inside local address (192.168.10.111) in the NAT statement.


With the below nat statement which is I believe it is something similar to your OP, then the rtr would match on the specific deny ace within the ACL and no nat translation would be made as such no communication would happen to/from the src/des hosts, all other traffic from that local host would be translated.


access-list 100 deny ip host 192.168.10.111 host 8.8.8.8
access-list 100 permit ip any any

route-map nonat
match ip address 100

ip nat inside source static 192.168.10.111 6.1.1.111 route-map nonat

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

here ACL used for match or not match and nor for drop traffic or not.
when the traffic is match the packet will NAT and if not match then it will not NAT it will send without NAT.

I agree that the syntax presented in the original post is puzzling. It appears that the route map will be used to control nat. In my experience a route map to control nat has been used with dynamic nat. I am not clear what they are wanting to do with static nat. Perhaps if we could see how the route map was applied we might get a better understanding.

But the main part of the question is quite clear "I'm not sure what happens to the denied traffic in the ACL" Clearly the original poster is thinking of the operation of access list when it is applied to an interface to filter data traffic (and a packet that is denied is dropped). In this case the access list is used to control nat. A packet that is denied will not be translated (but will still be forwarded).

 

HTH

Rick

Hello @MHM Cisco World @Richard Burts 


. A packet that is denied will not be translated (but will still be forwarded).

not NAT it will send without NAT.


Totllay agree - However in the above the OP you can see the inside global addressing is public routable and the inside local host isn’t so in this instance no translation will occur subject to the deny ace in the acl but traffic won’t be forwarded due the RFC 1918 non routable local addressing.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Paul's point is well taken. I do not understand the environment of the original post well enough to discuss things about it, and so my response addresses the general situation. But Paul may very well be correct that the local traffic wold not be forwarded in this particular situation.

HTH

Rick

jnewton83985
Level 1
Level 1

Thank you all for helping me with this as I also was perplexed when I saw this. This was in place on a 2911 router that sits behind a firewall. Another tech configured this. What I struggled with was the ACE entries with a destination subnet not applicable to the NAT entry and how the route map would process traffic. I assumed it would either NAT or not NAT rather then drop but was not certain. Based off the ACE entries, it’s safe to assume this is not configured correctly. 

There are things about the environment that we do not know and which might impact our advice, particularly what are subnets 192.168.50.0 and 10.7.7.0 and do they have any relationship to this router? The route map has a match for nonat, does it have any other match statement? Does the route map have a single stanza or is there more than one? But based on what we know so far it is pretty safe to say that it is not configured correctly.

You said " I assumed it would either NAT or not NAT rather then drop but was not certain." You are correct about that.

HTH

Rick
Review Cisco Networking for a $25 gift card