Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IOS router route-map

Posted on 2011-09-14
7
Medium Priority
?
516 Views
Last Modified: 2012-05-12
Hi experts,

In a IOS router (2621 router on 12.2 code):

I currently have a route-map to do an inside address translation.
Would I be able to use that same route-map to do an outside address translation?

Example:

ip nat inside source static 10.10.10.10 60.60.60.60 route-map SNmap extendable

route-map SNmap permit 10
 match ip address SNnat

ip access-list extended SNnat
permit ip host 10.10.10.10 host 200.200.200.200

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  

What I am trying to accomplish with this outside translation is when the remote side's 200.200.200.200 comes into my network to access 60.60.60.60, it changes to source from 100.100.100.100.
0
Comment
Question by:trojan81
  • 3
  • 3
7 Comments
 

Author Comment

by:trojan81
ID: 36540619
Forgot to mention this is an IPSEC tunnnel.
Encryption domain is:
Local: 10.10.10.10
Remote: 200.200.200.200

I'm trying to do source and destination NATing.
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 36541176
could you please post a network diagram with interfaces and IP addresses of how you would like this to work.

thanks
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 36541212
Also have you configured ip nat inside and ip nat outside on the correct interfaces?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 1000 total points
ID: 36541772
Here is a possible setup you could use:

ROUTER1 ===== INTERNET ===== ROUTER2

ROUTER1
int fa0/0
description OUTSIDE INTERFACE
ip add 1.1.1.1 255.255.255.0
crypto map VPN
ip nat outside

int fa0/1
description INSIDE INTERFACE
ip add 200.200.200.200 255.255.255.0
ip nat inside

ip nat pool POOL 100.100.100.100 100.100.100.100 netmask 255.255.255.0
ip nat inside source list 101 pool POOL overload

access-list 101 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255

access-list 102 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255
access-list 102 permit host 100.100.100.100 60.60.60.0 0.0.0.255

crypto map VPN 5 ipsec-isakmp
match address 102


ROUTER2
int fa0/0
description OUTSIDE INTERFACE
ip add 5.5.5.5 255.255.255.0
crypto map VPN

int fa0/1
description INSIDE INTERFACE
ip add 60.60.60.60 255.255.255.0

crypto map VPN 5 ipsec-isakmp
match address 102

access-list 102 permit ip 60.60.60.0 0.0.0.255 host 100.100.100.100


Keep in mind you still need to have the significant traffic matched int the crypto map ACL in addition to the one that allows access to 100.100.100.100
0
 
LVL 6

Assisted Solution

by:Sanjeevloke
Sanjeevloke earned 1000 total points
ID: 36541869
A question comes to my mind when a packet from outside 200.200.200.200 comes to access 10.10.10.10

that route-map wont work as ACL should be reverse.
ip access-list extended SNnat
permit ip host 200.200.200.200  host 10.10.10.10....

U r scenario is bit confusing ..i will suggest u to create a GRE tunnel over ipsec and then directly route the traffic over GRE...
0
 

Assisted Solution

by:trojan81
trojan81 earned 0 total points
ID: 36543786
I apologize, I didn't explain it correctly and I made a mistake on stating what the encryption domain is:
Local: 60.60.60.60
Remote: 200.200.200.200

I solved the problem. I had to use a different route-map.

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap2 extendable

route-map SNmap2 permit 10
 match ip address SNnat2

ip access-list extended SNnat2
permit ip host 200.200.200.200 host 60.60.60.60

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  
0
 

Author Closing Comment

by:trojan81
ID: 36565453
.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question