12-16-2021 01:21 PM - last edited on 12-20-2021 11:07 PM by Translator
Wanting to make sure I understand this correctly.
Static NAT: ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat
Route Map: nonat -> references ACL nat-test
ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255
permit ip any any
I'm not sure what happens to the denied traffic in the ACL since it's applied to a 'route-map'.
Solved! Go to Solution.
12-16-2021 03:33 PM - last edited on 12-20-2021 11:10 PM by Translator
Hello
@jnewton83985 wrote:
Static NAT: ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat
Route Map: nonat -> references ACL nat-test
ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255
permit ip any any
The above syntax isn’t the correct, It looks you want to use a static nat and append it to a 'route-map' so deny some communication however the ACL doesn’t relate to the inside local address (192.168.10.111) in the NAT statement.
With the below nat statement which is I believe it is something similar to your OP, then the rtr would match on the specific deny ace within the ACL and no nat translation would be made as such no communication would happen to/from the src/des hosts, all other traffic from that local host would be translated.
access-list 100 deny ip host 192.168.10.111 host 8.8.8.8
access-list 100 permit ip any any
route-map nonat
match ip address 100
ip nat inside source static 192.168.10.111 6.1.1.111 route-map nonat
12-16-2021 03:33 PM - last edited on 12-20-2021 11:10 PM by Translator
Hello
@jnewton83985 wrote:
Static NAT: ip nat inside source 192.168.10.111 6.1.1.111 route-map nonat
Route Map: nonat -> references ACL nat-test
ACL nat-test: deny ip 192.168.50.0 0.0.0.255 10.7.7.0 0.0.0.255
permit ip any any
The above syntax isn’t the correct, It looks you want to use a static nat and append it to a 'route-map' so deny some communication however the ACL doesn’t relate to the inside local address (192.168.10.111) in the NAT statement.
With the below nat statement which is I believe it is something similar to your OP, then the rtr would match on the specific deny ace within the ACL and no nat translation would be made as such no communication would happen to/from the src/des hosts, all other traffic from that local host would be translated.
access-list 100 deny ip host 192.168.10.111 host 8.8.8.8
access-list 100 permit ip any any
route-map nonat
match ip address 100
ip nat inside source static 192.168.10.111 6.1.1.111 route-map nonat
12-17-2021 12:54 PM
here ACL used for match or not match and nor for drop traffic or not.
when the traffic is match the packet will NAT and if not match then it will not NAT it will send without NAT.
12-18-2021 06:50 AM
I agree that the syntax presented in the original post is puzzling. It appears that the route map will be used to control nat. In my experience a route map to control nat has been used with dynamic nat. I am not clear what they are wanting to do with static nat. Perhaps if we could see how the route map was applied we might get a better understanding.
But the main part of the question is quite clear "I'm not sure what happens to the denied traffic in the ACL" Clearly the original poster is thinking of the operation of access list when it is applied to an interface to filter data traffic (and a packet that is denied is dropped). In this case the access list is used to control nat. A packet that is denied will not be translated (but will still be forwarded).
12-18-2021 08:10 AM
Hello @MHM Cisco World @Richard Burts
. A packet that is denied will not be translated (but will still be forwarded).not NAT it will send without NAT.
Totllay agree - However in the above the OP you can see the inside global addressing is public routable and the inside local host isn’t so in this instance no translation will occur subject to the deny ace in the acl but traffic won’t be forwarded due the RFC 1918 non routable local addressing.
12-18-2021 08:50 AM
Paul's point is well taken. I do not understand the environment of the original post well enough to discuss things about it, and so my response addresses the general situation. But Paul may very well be correct that the local traffic wold not be forwarded in this particular situation.
12-18-2021 11:00 AM
Thank you all for helping me with this as I also was perplexed when I saw this. This was in place on a 2911 router that sits behind a firewall. Another tech configured this. What I struggled with was the ACE entries with a destination subnet not applicable to the NAT entry and how the route map would process traffic. I assumed it would either NAT or not NAT rather then drop but was not certain. Based off the ACE entries, it’s safe to assume this is not configured correctly.
12-18-2021 11:57 AM
There are things about the environment that we do not know and which might impact our advice, particularly what are subnets 192.168.50.0 and 10.7.7.0 and do they have any relationship to this router? The route map has a match for nonat, does it have any other match statement? Does the route map have a single stanza or is there more than one? But based on what we know so far it is pretty safe to say that it is not configured correctly.
You said " I assumed it would either NAT or not NAT rather then drop but was not certain." You are correct about that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide