Solved: NAT with Route Maps

Mokhalil82 · ‎01-02-2015

Hi

I have done natting on a router before and that seemed quite straight-forward. I am just looking at some router config done by someone else but Im confused why they have used route maps as part of the NAT configs. I would usually create an access list to permit the traffic and apply that access list to the ip nat inside statement. Can anyone explain why it has been configured this way, Thanks

interface GigabitEthernet0/1
description INSIDE
ip address 172.50.155.2 255.255.255.0
ip nat inside
!
interface Gig 0/0
description OUTSIDE
ip address 98.98.240.18 255.255.255.240
ip nat outside

ip nat inside source route-map My_RMAP interface gig 0/0 overload

ip access-list extended No-NAT
permit ip host 192.168.100.1 10.0.0.0 0.0.255.255
permit tcp host 217.159.144.128 eq 22 any

route-map My-RMAP deny 10
match ip address No-NAT
!
route-map My-RMAP permit 20
match interface gig 0/0

ghostinthenet · ‎01-02-2015

NAT with route maps gives more granular control of the NAT tables. It's most commonly used where there are multiple Internet connections. The NAT statements for each connection can use the same ACL to define what is subject to NAT, but the tables can be differentiated by matching the outgoing interface in the route maps.

Route maps can also be used to make static NAT entries conditional so that only traffic matching the route map is subject to NAT and everything else is passed unmodified.

Sometimes, people who deal with these scenarios frequently (myself included) just get in the habit of using route maps all the time.

In this case, the route map is unnecessary and a bit overcomplicated. Instead of creating an ACL for what the router should perform NAT on, the configuration is creating one for what the router should not perform NAT on and then and then performing NAT on everything else.

Does the 192.168.100.1 host (or its network) or the 217.159.144.128 host exist on your LAN at this point?

View solution in original post

paul driver · ‎01-02-2015

Hello

Looks like the following wont be natted and will be seen externally without its natted address.

Ip traffic between host 192.168.10.1 and 10.0.0.0/16
ssh traffic from host 217.158.144.128

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kenglong · ‎01-02-2015

We use route maps here to force our vpn traffic to bypass natting. Everything else gets natted.

ghostinthenet · ‎01-02-2015

NAT with route maps gives more granular control of the NAT tables. It's most commonly used where there are multiple Internet connections. The NAT statements for each connection can use the same ACL to define what is subject to NAT, but the tables can be differentiated by matching the outgoing interface in the route maps.

Route maps can also be used to make static NAT entries conditional so that only traffic matching the route map is subject to NAT and everything else is passed unmodified.

Sometimes, people who deal with these scenarios frequently (myself included) just get in the habit of using route maps all the time.

In this case, the route map is unnecessary and a bit overcomplicated. Instead of creating an ACL for what the router should perform NAT on, the configuration is creating one for what the router should not perform NAT on and then and then performing NAT on everything else.

Does the 192.168.100.1 host (or its network) or the 217.159.144.128 host exist on your LAN at this point?

Mokhalil82 · ‎01-02-2015

Thanks for the replies. Yes that makes more sense now. The 192.168.100.1 host does exist on the LAN but the 217.159.144.128 does not.