08-16-2010 11:50 AM - edited 03-06-2019 12:30 PM
I have this configuration on one of my router.
#ip nat inside source static 10.151.16.47 213.234.32.69 route-map ABC reversible
#sh route-mapABC
route-map ABC, permit, sequence 10
Match clauses:
ip address (access-lists): 102
Set clauses:
Policy routing matches: 0 packets, 0 byte
#sh access-lists 102
Extended IP access list 102
10 permit ip host 10.151.16.47 10.10.125.0 0.0.0.255 (140 matches)
20 permit ip host 10.151.16.47 10.10.126.0 0.0.0.255 (4 matches)
30 permit ip host 10.151.16.47 10.10.130.0 0.0.0.255 (11 matches)
40 permit ip host 10.151.16.47 10.10.131.0 0.0.0.255 (3 matches)
Network topology is (10.151.16.47 subnet, IP NAT Inside) gi 0/1 --> R 3825 ---> gi 0/0 (IP NAT Outside, 10.10.125/126/130/131.0 Subnet)
This is a reverse nat, meaning Destination NAT but i am unable to understand how its work. when some one from 10.10.125.0 access 10.151.16.47.
Could any body explain plz. Thanks.
Solved! Go to Solution.
08-16-2010 02:44 PM
munawar.zeeshan wrote:
Yh, that make sense. 2 more Qs,
1- Is the above configuration ok? You see any issue in it ?
2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?
1) Looks okay but then again depends on what you are trying to achieve. Difficult to say.
2) All NATs are source AND destination, it just depends on which direction the traffic is flowing. So yes i guess you could say you can read your statement in reverse order to understand the destination side of it.
Jon
08-16-2010 03:29 PM
It depends which direction the traffic is going, inside to outside, or outside to inside. Here is a document that covers both:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
-Kathy
08-16-2010 02:02 PM
munawar.zeeshan wrote:
I have this configuration on one of my router.
#ip nat inside source static 10.151.16.47 213.234.32.69 route-map ABC reversible
#sh route-mapABC
route-map ABC, permit, sequence 10
Match clauses:
ip address (access-lists): 102
Set clauses:
Policy routing matches: 0 packets, 0 byte#sh access-lists 102
Extended IP access list 102
10 permit ip host 10.151.16.47 10.10.125.0 0.0.0.255 (140 matches)
20 permit ip host 10.151.16.47 10.10.126.0 0.0.0.255 (4 matches)
30 permit ip host 10.151.16.47 10.10.130.0 0.0.0.255 (11 matches)
40 permit ip host 10.151.16.47 10.10.131.0 0.0.0.255 (3 matches)Network topology is (10.151.16.47 subnet, IP NAT Inside) gi 0/1 --> R 3825 ---> gi 0/0 (IP NAT Outside, 10.10.125/126/130/131.0 Subnet)
This is a reverse nat, meaning Destination NAT but i am unable to understand how its work. when some one from 10.10.125.0 access 10.151.16.47.
Could any body explain plz. Thanks.
It's only a destination NAT if the packets are originating from outside. If the packets are originating from the inside it is a source NAT ie. the above statement means -
1) if the host 10.151.16.47 sends a packet to any of the 4 networks in acl 102 then the source address is changed to 213.234.32.69
and
2) if any host on the 4 networks in acl 102 sends a packet to 213.234.32.69 the destination address is changed to 10.151.16.47
Jon
08-16-2010 02:41 PM
Yh, that make sense. 2 more Qs,
1- Is the above configuration ok? You see any issue in it ?
2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?
08-16-2010 02:44 PM
munawar.zeeshan wrote:
Yh, that make sense. 2 more Qs,
1- Is the above configuration ok? You see any issue in it ?
2- So as u said, in case of destination NAT, the ACL, IP NAT INSIDE SOURCE STATIC.... commands will be read in reverse direction. right ?
1) Looks okay but then again depends on what you are trying to achieve. Difficult to say.
2) All NATs are source AND destination, it just depends on which direction the traffic is flowing. So yes i guess you could say you can read your statement in reverse order to understand the destination side of it.
Jon
08-16-2010 02:49 PM
Great, thanks Jon. It helped a lot.
Good day,
08-16-2010 03:08 PM
Sorry, one more thing.
When a packet is arrived at router, will it first match ACL, undergo NATing or check routing. What will be the sequence of these three activities in the same scenario/config as mentioned before in my post.
Also how you will read this NAT statement, in both directions. The ACL IPs are not in the IP NAT statemnet. Can u plz eloborate for me. Thanks in advance.
# ip nat inside source static 208.38.23.206 10.151.0.200 route-map XYZ reversible
#sh route-map XYZ
route-map forManila, permit, sequence 10
Match clauses:
ip address (access-lists): 104
Set clauses:
Policy routing matches: 0 packets, 0 bytes
#sh access-lists 104
Extended IP access list 104
10 permit ip 10.150.0.0 0.0.255.255 host 144.36.169.251 (425 matches)
20 permit ip 10.150.0.0 0.0.255.255 host 144.36.168.216
30 permit ip 10.150.0.0 0.0.255.255 host 144.36.175.18 (373144 matches)
40 permit ip 10.150.0.0 0.0.255.255 host 144.36.55.88
Message was edited by: munawar.zeeshan
08-16-2010 03:29 PM
It depends which direction the traffic is going, inside to outside, or outside to inside. Here is a document that covers both:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
-Kathy
08-17-2010 09:16 AM
Thanks Price, It was helpful.
Now waiting for reply to my last query, as stated above too.
"How you will read this NAT statement, in both directions. The ACL IPs are not in the IP NAT statemnet. Can u plz eloborate for me. Thanks in advance.
# ip nat inside source static 208.38.23.206 10.151.0.200 route-map XYZ reversible
#sh route-map XYZ
route-map forXYZ, permit, sequence 10
Match clauses:
ip address (access-lists): 104
Set clauses:
Policy routing matches: 0 packets, 0 bytes
#sh access-lists 104
Extended IP access list 104
10 permit ip 10.150.0.0 0.0.255.255 host 144.36.169.251 (425 matches)
20 permit ip 10.150.0.0 0.0.255.255 host 144.36.168.216
30 permit ip 10.150.0.0 0.0.255.255 host 144.36.175.18 (373144 matches)
40 permit ip 10.150.0.0 0.0.255.255 host 144.36.55.88 "
08-17-2010 03:39 PM
That configuration shouldn't work. From inside to outside, a packet with source 208.38.23.206 will be checked against the route map and fail since the access-list doesn't match for 208.38.23.206 as a source IP. If you did have an ACL entry that matches the source IP of 208.38.23.206, it would also check the destination IP of the packet against the ACL in order as per usual ACL checks.
For outside to inside, a packet with destination 10.151.0.200 will be checked against the reverse of this access-list. It will fail since it doesn't match 10.151.0.200. If your ACL was changed to:
#sh access-lists 104
Extended IP access list 104
10 permit ip any host 144.36.169.251
20 permit ip any host 144.36.168.216
30 permit ip any host 144.36.175.18
40 permit ip any host 144.36.55.88
In this case then NAT would take place from inside to outside if the destination of the packet were any of the four 144.36.x.x hosts you have defined. From outside to inside, NAT would be successful if the source of the packet were one of these four IPs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide