PBR and NAT on Same Interface

haithamnofal · ‎09-13-2009

Hi,

I have a PBR and NAT configuration in one of the core switch interfaces as follows:

!

interface Vlan22

ip address 172.24.22.251 255.255.255.0

standby 22 ip 172.22.254

standby 22 priority 110

standby 22 preempt

ip policy route-map PROXY

ip nat inside

!

interface gig 3/48

ip address 192.168.1.100 255.255.255.0

ip nat outside

!

IP access-list extended PROXY

permit tcp host 172.24.22.25 any eq 80

permit tcp host 172.24.22.25 any eq 443

!

route-map PROXY permit 10

match ip address PROXY

set ip next-hop 192.168.1.1

!

ip nat inside source list PROXY interface G3/48 overload

What I am trying to do here is to direct the users on any VLAN to the Proxy inside VLAN (VLAN 22), and then direct the proxy traffic to a dedicated internet link that is connected to the core switch, however a NAT rule needs to be applied first so that the internet modem sees the Proxy with a specific IP address.

I need to make sure whether the above configuration is workable and to understand what who takes privilege over the other PBR or NAT.

Appreciate your feedback.

Thanks,

Haitham

Jon Marshall · ‎09-13-2009

Haitham

"What I am trying to do here is to direct the users on any VLAN to the Proxy inside VLAN (VLAN 22),"

presumably the config for this is not included in your post ?

"and then direct the proxy traffic to a dedicated internet link that is connected to the core switch, however a NAT rule needs to be applied first so that the internet modem sees the Proxy with a specific IP address"

this should work fine. PBR is done before NAT so the traffic will be routed out of the gi3/48 interface and then source Natted to 192.168.1.100. See this link for order of operations on a Cisco router -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Jon