Cisco NAT – Cisco Static NAT with Route-Maps

cisconat;

Update:

Seems that route maps only match on IP addresses, not on the ports. Had another situation this week on a different device, model and software version. Ended up changing the NAT statements to:

ip nat inside source static tcp 192.168.1.20 3389 x.x.x.x 3389

I then restricted access based on an ACL rather than a route map. Would have been nice to define conditional NATing, but it seems it just doesn't work.

So we have a pretty standard NAT box setup to offer a hosted NAT solution for a number of customers.

Here is the basic topology:

Topology

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)

The issue I have is to do with the route-map section of the NAT statements.

ip nat inside source static tcp 10.1.10.201 22 x.x.x.x 22 vrf Customer1-vrf route-map Customer1-portforwarding extendable

ip access-list extended Customer1-forwarding-acl
 permit tcp host 10.1.10.201 host a.a.a.a eq 22
 permit tcp host 10.1.10.201 host b.b.b.b eq 22

route-map Customer1-portforwarding permit 10
 match ip address Customer1-forwarding-acl

I believe I have the understanding of the route-map correct. It is meant to designate what is allowed to NAT and what isn't. I am basically trying to set it up to allow only translations from specific public source addresses. It doesn't seem to be doing that. It seems to be permitting translations from any public address.

I changed the ACL completely to a 'deny ip any any' statement and it still permits. I'm at a bit of a loss. It appears the route-map isn't doing anything.

Any help would be greatly appreciated!

Cheers,

Best Answer

i believe that the problem is in the VRF configuration itself , so please check the next
1. configure 'ip vrf forwarding Customer1-portforwarding' under interfaces involved in NAT (nat inside,nat outside interfaces)
2. if your access list will use the VRF routing table so you need to add 'set vrf Customer1-portforwarding' command under route-map configuration to make use of theVRF routing table
3. make your route-map more specific by set next hop
4. verify NATing by use 'sh ip nat translation' command

make use of those URLs
NAT over VRF
Route-map over VRF

Related Solutions

Cisco – route tags and policy routing alternatives – traffic engineering question

I am not 100% sure whether tags are carried in BGP updates but here is what I put together pretty quick:

enter image description here

Router "Static":

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.2.1 255.255.255.0

interface Ethernet0/1
 ip address 172.16.0.1 255.255.255.0
 half-duplex

ip route 0.0.0.0 0.0.0.0 172.16.0.2

Router R1:

interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 172.16.0.2 255.255.255.0
 half-duplex

ip route 172.16.1.0 255.255.255.0 172.16.0.1 tag 20
ip route 172.16.2.0 255.255.255.0 172.16.0.1 tag 20

router eigrp 100
 redistribute static route-map MyRouteMap
 network 10.0.0.0 0.0.0.3
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

Router R2:

interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 10.0.0.5 255.255.255.252
 half-duplex

router eigrp 100
 network 10.0.0.0 0.0.0.3
 no auto-summary

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute eigrp 100 route-map MyRouteMap
 neighbor 10.0.0.6 remote-as 65000
 neighbor 10.0.0.6 next-hop-self
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

R2#show ip route 172.16.1.0
Routing entry for 172.16.1.0/24
  Known via "eigrp 100", distance 170, metric 307200
  Tag 20, type external

Router R3:

interface Ethernet0/1
 ip address 10.0.0.6 255.255.255.252
 half-duplex

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.0.5 remote-as 65000
 no auto-summary

R3#show ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Local
    10.0.0.5 from 10.0.0.5 (10.0.0.2)
      Origin incomplete, metric 307200, localpref 100, valid, internal, best

I hope this is what you were asking for.

Router – NAT translation thestery

This doesn't really answer my question why did NAT always use the 80th port as source port for outgoing traffic, but at least I figured out how to fix the problem.

I created an access list to match traffic from the mail server and also created a pool of one public address for it.

ip access-list extended 109
 !!! Restrict NAT for branch office destinations
 deny ip host 192.168.7.7. 192.168.0.0 0.0.255.255
 permit ip host 192.168.7.7 any
ip nat pool MAIL 198.51.100.7 198.51.100.7 prefix-length 27
ip nat inside source list 109 pool MAIL

And...Voilà! It now preserves the source port number as it sends traffic. And our mail is no longer blocked by some external MTA mail servers.

Update:

So now I tried reverting back to:

ip nat source static 192.168.7.7 198.51.100.7 route-map Deny_On_VPN

And it actually started to translate addresses and ports as expected - one to one. I don't really understand what the deal was with it, maybe a bug? Hopefully it will keep running like this from now on. I guess, I'll have a look at IOS release notes

Best Answer

Related Solutions

Cisco – route tags and policy routing alternatives – traffic engineering question

Router – NAT translation thestery

Update:

Related Topic