Solved: Static Network NAT and Route-Maps

sganpat · ‎10-27-2010

I'm trying to set up a static network NAT, but only when trying to communicate to a particular host. This is in a test lab at the moment.

What I want to happen is that when a host on the 172.16.1.0/24 network tries to talk to 192.168.1.65 it would be static network natted to the respective IP in 192.168.2.0/24.

This is what I have so far:

!
!
interface FastEthernet0/0
ip address 192.168.1.151 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static network 172.16.1.0 192.168.2.0 /24 route-map NAT-TEST1
!
!
ip access-list extended NAT-LIST1
permit ip 172.16.1.0 0.0.0.255 host 192.168.1.65
!
route-map NAT-TEST1 permit 10
match ip address NAT-LIST1
!
!

But this is not working. The hosts are still passing without being natted. The access-list is being matched, but the route-map policy does not show as a match.

If I remove the route-map from the nat command, the static nat works fine.

Any ideas?

Jon Marshall · ‎10-27-2010

sganpat wrote:
I'm trying to set up a static network NAT, but only when trying to communicate to a particular host. This is in a test lab at the moment.
What I want to happen is that when a host on the 172.16.1.0/24 network tries to talk to 192.168.1.65 it would be static network natted to the respective IP in 192.168.2.0/24.
This is what I have so far:
!
!
interface FastEthernet0/0
ip address 192.168.1.151 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static network 172.16.1.0 192.168.2.0 /24 route-map NAT-TEST1
!
!
ip access-list extended NAT-LIST1
permit ip 172.16.1.0 0.0.0.255 host 192.168.1.65
!
route-map NAT-TEST1 permit 10
match ip address NAT-LIST1
!
!
But this is not working. The hosts are still passing without being natted. The access-list is being matched, but the route-map policy does not show as a match.
If I remove the route-map from the nat command, the static nat works fine.
Any ideas?

Have a look at this doc -

http://www.cisco.com/en/US/customer/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

note that just under the Feature Overview is this note -

Note Network static support is not included in this feature

so you would have to do them one by one i'm afraid.

Jon

View solution in original post

adkumar_2 · ‎10-27-2010

Ping Outside using Source IP of 192.168.1.65.

Then get the output of "sh ip nat translations"

Jon Marshall · ‎10-27-2010

sganpat wrote:
I'm trying to set up a static network NAT, but only when trying to communicate to a particular host. This is in a test lab at the moment.
What I want to happen is that when a host on the 172.16.1.0/24 network tries to talk to 192.168.1.65 it would be static network natted to the respective IP in 192.168.2.0/24.
This is what I have so far:
!
!
interface FastEthernet0/0
ip address 192.168.1.151 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static network 172.16.1.0 192.168.2.0 /24 route-map NAT-TEST1
!
!
ip access-list extended NAT-LIST1
permit ip 172.16.1.0 0.0.0.255 host 192.168.1.65
!
route-map NAT-TEST1 permit 10
match ip address NAT-LIST1
!
!
But this is not working. The hosts are still passing without being natted. The access-list is being matched, but the route-map policy does not show as a match.
If I remove the route-map from the nat command, the static nat works fine.
Any ideas?

Have a look at this doc -

http://www.cisco.com/en/US/customer/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

note that just under the Feature Overview is this note -

Note Network static support is not included in this feature

so you would have to do them one by one i'm afraid.

Jon

sganpat · ‎10-27-2010

Hi Jon,

I had looked at this document before and I missed that entire line. They should put a big "NOTE" at the side so you won't miss it. :-)

Sachin