2013年7月28日星期日

NAT route map

Question:

I'm trying Catalyst 3560 Price to understand if this route map NO_NAT setup is needed or a mistake.

There's a vpn range nat exemption that allows 192.168.10.0/24 and 192.168.254.0/24 to communicate and it's applied to Gi0/0. So why would the same route map need be applied to static nat statments?

Thanks.

ip local pool vpnpool 192.168.254.100 192.168.254.200

ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.185 805 9.x.y.z 805 extendable
ip nat inside source static tcp 192.168.10.186 806 9.x.y.z 806 extendable
ip nat inside source static tcp 192.168.10.111 810 9.x.y.z 810 extendable
ip nat inside source static tcp 192.168.10.187 850 9.x.y.z 850 extendable
ip nat inside source static tcp 192.168.10.126 5902 9.x.y.z 5902 extendable
ip nat inside source static udp 192.168.10.10 5901 9.x.y.z 5901 extendable

route-map NO_NAT permit 1
match ip address 125

access-list 125 deny   ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 125 permit ip 192.168.10.0 0.0.0.255 any

Answer:

I had looked again your first post  and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable
ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

To answer whether these three route-map are necessary, I lab it up and found that:

1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.


2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on Cisco 3560X the static nat.
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)