PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:infrastructure-services:nat:route-map:route-map

Cisco: NAT: Static NAT: route-map

infrastructure-services.nat.static.route-map.9ba85799

Memo

  1. Inside Local will translate
  2. Inside Global will translate
  3. Outside Local will translate
  4. Outside Global will translate

Static NAT route-map Lab

Base Configuration

Common Configuration Snippet

R1

server-0

server-1

server-2

Configure ip nat outside source b78c4787-5b45-4b67-b535-10e996dc6803

configure terminal
!
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside
interface GigabitEthernet0/2
 ip nat outside
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
!
route-map RM-NETWORK-2 permit 10
 match ip address 101
route-map RM-NETWORK-ANY permit 10
 match ip address 102
!
ip nat inside source static 172.16.1.200 172.16.2.100 route-map RM-NETWORK-2
ip nat inside source static 172.16.1.200 172.16.3.100 route-map RM-NETWORK-ANY
!
end
show ip nat translation
(arp or icmp) and net 172.16.0.0/16
ping 172.16.2.201 -c4
ping 172.16.3.202 -c4

Verification

R1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         172.16.1.1      YES TFTP   up                    up      
GigabitEthernet0/1         172.16.2.1      YES TFTP   up                    up      
GigabitEthernet0/2         172.16.3.1      YES TFTP   up                    up      
GigabitEthernet0/3         unassigned      YES TFTP   administratively down down    
R1#ping 172.16.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
R1#ping 172.16.2.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/2 ms
R1#ping 172.16.2.203
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.203, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.16.2.203
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.203, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
R1#ping 172.16.2.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
R1#ping 172.16.3.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
R1#ping 172.16.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int gig0/0
R1(config-if)#ip nat inside
R1(config-if)#
*Apr  3 06:44:20.078: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R1(config-if)#int gig0/1
R1(config-if)#ip nat outside
R1(config-if)#int gig0/2
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#acc
R1(config)#$ 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255         
R1(config)#$ 102 permit ip 172.16.1.0 0.0.0.255 an                            
R1(config)#access-list 102 permit ip 172.16.1.0 0.0.0.255 any ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  ttl         Match packets with given TTL value
  <cr>        <cr>

R1(config)#access-list 102 permit ip 172.16.1.0 0.0.0.255 any 
R1(config)#route-ma
R1(config)#route-map RM-NETWORK-2 permit 10
R1(config-route-map)#mat
R1(config-route-map)#match ip
R1(config-route-map)#match ip add
R1(config-route-map)#match ip address 101
R1(config-route-map)#route-map RM-NETWORK-ANY permit 10
R1(config-route-map)#mat 
R1(config-route-map)#match ip add
R1(config-route-map)#match ip address 102
R1(config-route-map)#exit
R1(config)#ip nat
R1(config)#ip nat insi
R1(config)#ip nat inside sou
R1(config)#ip nat inside source sta
R1(config)#ip nat inside source static 172.16.1.200 172.16.2.100 route-map ?
  WORD  Route-map name

R1(config)#$de source static 172.16.1.200 172.16.2.100 route-map RM-NETWORK-2
R1(config)#$static 172.16.1.200 172.16.3.100 route-map RM-NETWORK-ANY        
R1(config)#no acc
R1(config)#no access-list 102
R1(config)#acce
R1(config)#access-list 102 den
R1(config)#access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
R1(config)#acc
R1(config)#access-list 102 per
R1(config)#access-list 102 permit ip 172.16.1.0 0.0.0.255 any
R1(config)#no ip nat inside source static 172.16.1.200 172.16.3.100 route-map $
R1(config)#$static 172.16.1.200 172.16.3.100 route-map RM-NETWORK-ANY          
R1(config)#no ip nat inside source static 172.16.1.200 172.16.2.100 route-map $
R1(config)#$de source static 172.16.1.200 172.16.2.100 route-map RM-NETWORK-2  
R1(config)#do sh ip nat transl
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.2.100:17156 172.16.1.200:17156 172.16.2.201:17156 172.16.2.201:17156
icmp 172.16.3.100:17412 172.16.1.200:17412 172.16.3.202:17412 172.16.3.202:17412
--- 172.16.2.100       172.16.1.200       ---                ---
--- 172.16.3.100       172.16.1.200       ---                ---
R1(config)#do sh acc
R1(config)#do sh access-li
R1(config)#do sh access-lists 
Extended IP access list 101
    10 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 (1 match)
Extended IP access list 102
    10 deny ip 172.16.2.0 0.0.0.255 172.16.2.0 0.0.0.255
    20 permit ip 172.16.1.0 0.0.0.255 any (1 match)
R1(config)#do sh route-map
route-map RM-NETWORK-ANY, permit, sequence 10
  Match clauses:
    ip address (access-lists): 102 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM-NETWORK-2, permit, sequence 10
  Match clauses:
    ip address (access-lists): 101 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
R1(config)#acc  
R1(config)#access-list ex  
R1(config)#access-list exte
R1(config)#ip acce         
R1(config)#ip access-list exte
R1(config)#ip access-list extended 102
R1(config-ext-nacl)#no 10
R1(config-ext-nacl)#?  
Ext Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  dynamic         Specify a DYNAMIC list of PERMITs or DENYs
  evaluate        Evaluate an access list
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

R1(config-ext-nacl)#10 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
R1(config-ext-nacl)#do sh access-lists
Extended IP access list 101
    10 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 (1 match)
Extended IP access list 102
    10 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
    20 permit ip 172.16.1.0 0.0.0.255 any (1 match)
R1(config-ext-nacl)#exit
R1(config)#do sh nat trans
%NAT64: feature not configured
R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 172.16.2.100       172.16.1.200       ---                ---
--- 172.16.3.100       172.16.1.200       ---                ---
R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.3.100:25860 172.16.1.200:25860 172.16.3.202:25860 172.16.3.202:25860
--- 172.16.2.100       172.16.1.200       ---                ---
--- 172.16.3.100       172.16.1.200       ---                ---
R1(config)#do sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 172.16.3.100:25860 172.16.1.200:25860 172.16.3.202:25860 172.16.3.202:25860
icmp 172.16.2.100:26372 172.16.1.200:26372 172.16.2.201:26372 172.16.2.201:26372
--- 172.16.2.100       172.16.1.200       ---                ---
--- 172.16.3.100       172.16.1.200       ---                ---
R1(config)#do sh acce
R1(config)#do sh access-li
R1(config)#do sh access-lists 
Extended IP access list 101
    10 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 (3 matches)
Extended IP access list 102
    10 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
    20 permit ip 172.16.1.0 0.0.0.255 any (2 matches)
R1(config)#do sh route-map
route-map RM-NETWORK-ANY, permit, sequence 10
  Match clauses:
    ip address (access-lists): 102 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM-NETWORK-2, permit, sequence 10
  Match clauses:
    ip address (access-lists): 101 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
R1(config)#end
R1#sh ip 
*Apr  3 07:13:35.839: %SYS-5-CONFIG_I: Configured from console by console
R1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.1/32 is directly connected, GigabitEthernet0/0
C        172.16.2.0/24 is directly connected, GigabitEthernet0/1
L        172.16.2.1/32 is directly connected, GigabitEthernet0/1
L        172.16.2.100/32 is directly connected, GigabitEthernet0/1
C        172.16.3.0/24 is directly connected, GigabitEthernet0/2
L        172.16.3.1/32 is directly connected, GigabitEthernet0/2
L        172.16.3.100/32 is directly connected, GigabitEthernet0/2
R1#
  1. infrastructure-services.nat.static.route-map.9ba85799.b78c4787.lab1.r1ge0-0_server-0-eth0.pcapng
  2. infrastructure-services.nat.static.route-map.9ba85799.b78c4787.lab1.r1ge0-1_server-1-eth0.pcapng
  3. infrastructure-services.nat.static.route-map.9ba85799.b78c4787.lab1.r1ge0-2_server-2-eth0.pcapng

References

tech/network/cisco/infrastructure-services/nat/route-map/route-map.txt · Last modified: 2021/04/03 16:26 by wnoguchi