Hello,

Yes, sure - I apologize for responding lately.

1.The packet arrives at the router  from the host with source IP as its and destination as Public IP.

Okay.

2.The  router lookups the routing table and does a route lookup if it finds  the route for the destination recurses to the exit interface...I need to  know when the ip nat inside command comes in picture.Is it before the  routing or after the routing.

In this case, the ip nat inside source command comes into picture after the routing. Note that for NAT to kick in, the packet must go from an inside interface to an outside interface. The fact that the packet arrived through an inside interface is obvious - it's the interface through which the packet was received, assuming that the interface is configured with ip nat inside command. However, how do we know which interface is the packet going to be routed out? We first need to perform the routing table lookup to see what interface should the packet be forwarded out. Only after this routing lookup we know the egress interface and we may then check whether that interface is configured with ip nat outside. So the simple rule here is: when packet comes through an inside interface, we first perform a routing lookup to see if the packet is going to be sent out an outside interface. If so, we traverse the ip nat inside source commands and find the one that advises us how to create a translation entry in the NAT table.

3.Now coming to the use of routemaps where we have multiple entires i.e to match the interface and then access-list.
I want to know whether this route map comes in to picture after the routing that is after deciding the exit interface..?

You are asking about the ip nat inside source route-map X command. Because this entire command is evaluated after the routing lookup, the route-map including all its internal tests (ACL, egress interface) is also evaluated only after the routing.

Best regards,

Peter

Hi Peter,

Thanks for the reply.

One last doubt regarding the route-map,you mean that in order for NAT to be perfomred the route-map is evaluated with all the conditions.

So in the above scenario the NAT statement checks multiple conditions and perform the NAT..?

i.e. it checks the access-list and then checks the exit interface then applies the NAT.

Thanks

Hello,

One last doubt regarding the route-map,you mean that in order for NAT to be perfomred the route-map is evaluated with all the conditions. So in the above scenario the NAT statement checks multiple conditions and perform the NAT..? i.e. it checks the access-list and then checks the exit interface then applies the NAT.

Yes, this is correct. A route-map is basically a construct that allows you to match on several criteria within a single block of a route-map. The route-map I have used in the beginning of this thread (didn't make it into the final configuration though :) ) matched on two criteria: an ACL and an egress interface. In order for the block of the route-map to provide either a match or a non-match, both criteria have to be met, i.e. there is a logical AND: the packet must be permitted by the ACL AND the packet's egress interface must match the interface in the route-map's block. There is no obvious order of these comparisons - whether ACL first and egress interface second, or vice versa, because at the time of evaluating the route-map, both values are readily available, can be evaluated in any order and then combined in an AND operation.

So to put it plainly, when the ip nat inside source command using a route-map is being evaluated (after routing lookup in the routing table), the IOS hits the command, jumps to the route-map, performs matching on the ACL and on the egress interface (at this point, the order of matching does not matter) and then verifies if both matches were successful. If so, then the entire route-map block is considered as being matched, and the packet will be NATted according to this command.

Please feel welcome to ask further - I can understand that this topic can be a bit confusing.

Best regards,
Peter


Thanks

Sent from Cisco Technical Support iPad App

Hi Peter,

Thanks for your explanation makes sense now.

i assume that route-map is created with match-all statement than match-any.

Thanks

Hello,

"i assume that route-map is created with match-all statement than match-any."

That is true. Contrary to a class-map that can either be created as match-all or match-any, a route-map is principially always match-any. However, you may refer to multiple matches of the same type on the same line which results in a logical OR rather than AND. Consider this route-map:

route-map Example permit 10
match ip address 10 20 30
match interface FastEthernet0/0 FastEthernet0/1

This route-map block produces a match when the packet matches ACL 10 or 20 or 30, and at the same time, it goes out through Fa0/0 or Fa0/1. So this is "match ACL 10 or 20 or 30" AND "match interface Fa0/0 or Fa0/1".

Best regards,
Peter

Sent from Cisco Technical Support iPad App