Solved

IOS router route-map

Posted on 2011-09-14
7
512 Views
Last Modified: 2012-05-12
Hi experts,

In a IOS router (2621 router on 12.2 code):

I currently have a route-map to do an inside address translation.
Would I be able to use that same route-map to do an outside address translation?

Example:

ip nat inside source static 10.10.10.10 60.60.60.60 route-map SNmap extendable

route-map SNmap permit 10
 match ip address SNnat

ip access-list extended SNnat
permit ip host 10.10.10.10 host 200.200.200.200

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  

What I am trying to accomplish with this outside translation is when the remote side's 200.200.200.200 comes into my network to access 60.60.60.60, it changes to source from 100.100.100.100.
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 

Author Comment

by:trojan81
ID: 36540619
Forgot to mention this is an IPSEC tunnnel.
Encryption domain is:
Local: 10.10.10.10
Remote: 200.200.200.200

I'm trying to do source and destination NATing.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541176
could you please post a network diagram with interfaces and IP addresses of how you would like this to work.

thanks
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541212
Also have you configured ip nat inside and ip nat outside on the correct interfaces?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
ID: 36541772
Here is a possible setup you could use:

ROUTER1 ===== INTERNET ===== ROUTER2

ROUTER1
int fa0/0
description OUTSIDE INTERFACE
ip add 1.1.1.1 255.255.255.0
crypto map VPN
ip nat outside

int fa0/1
description INSIDE INTERFACE
ip add 200.200.200.200 255.255.255.0
ip nat inside

ip nat pool POOL 100.100.100.100 100.100.100.100 netmask 255.255.255.0
ip nat inside source list 101 pool POOL overload

access-list 101 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255

access-list 102 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255
access-list 102 permit host 100.100.100.100 60.60.60.0 0.0.0.255

crypto map VPN 5 ipsec-isakmp
match address 102


ROUTER2
int fa0/0
description OUTSIDE INTERFACE
ip add 5.5.5.5 255.255.255.0
crypto map VPN

int fa0/1
description INSIDE INTERFACE
ip add 60.60.60.60 255.255.255.0

crypto map VPN 5 ipsec-isakmp
match address 102

access-list 102 permit ip 60.60.60.0 0.0.0.255 host 100.100.100.100


Keep in mind you still need to have the significant traffic matched int the crypto map ACL in addition to the one that allows access to 100.100.100.100
0
 
LVL 6

Assisted Solution

by:Sanjeevloke
Sanjeevloke earned 250 total points
ID: 36541869
A question comes to my mind when a packet from outside 200.200.200.200 comes to access 10.10.10.10

that route-map wont work as ACL should be reverse.
ip access-list extended SNnat
permit ip host 200.200.200.200  host 10.10.10.10....

U r scenario is bit confusing ..i will suggest u to create a GRE tunnel over ipsec and then directly route the traffic over GRE...
0
 

Assisted Solution

by:trojan81
trojan81 earned 0 total points
ID: 36543786
I apologize, I didn't explain it correctly and I made a mistake on stating what the encryption domain is:
Local: 60.60.60.60
Remote: 200.200.200.200

I solved the problem. I had to use a different route-map.

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap2 extendable

route-map SNmap2 permit 10
 match ip address SNnat2

ip access-list extended SNnat2
permit ip host 200.200.200.200 host 60.60.60.60

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  
0
 

Author Closing Comment

by:trojan81
ID: 36565453
.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question