Solved

IOS router route-map

Posted on 2011-09-14
7
510 Views
Last Modified: 2012-05-12
Hi experts,

In a IOS router (2621 router on 12.2 code):

I currently have a route-map to do an inside address translation.
Would I be able to use that same route-map to do an outside address translation?

Example:

ip nat inside source static 10.10.10.10 60.60.60.60 route-map SNmap extendable

route-map SNmap permit 10
 match ip address SNnat

ip access-list extended SNnat
permit ip host 10.10.10.10 host 200.200.200.200

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  

What I am trying to accomplish with this outside translation is when the remote side's 200.200.200.200 comes into my network to access 60.60.60.60, it changes to source from 100.100.100.100.
0
Comment
Question by:trojan81
  • 3
  • 3
7 Comments
 

Author Comment

by:trojan81
ID: 36540619
Forgot to mention this is an IPSEC tunnnel.
Encryption domain is:
Local: 10.10.10.10
Remote: 200.200.200.200

I'm trying to do source and destination NATing.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541176
could you please post a network diagram with interfaces and IP addresses of how you would like this to work.

thanks
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541212
Also have you configured ip nat inside and ip nat outside on the correct interfaces?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
ID: 36541772
Here is a possible setup you could use:

ROUTER1 ===== INTERNET ===== ROUTER2

ROUTER1
int fa0/0
description OUTSIDE INTERFACE
ip add 1.1.1.1 255.255.255.0
crypto map VPN
ip nat outside

int fa0/1
description INSIDE INTERFACE
ip add 200.200.200.200 255.255.255.0
ip nat inside

ip nat pool POOL 100.100.100.100 100.100.100.100 netmask 255.255.255.0
ip nat inside source list 101 pool POOL overload

access-list 101 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255

access-list 102 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255
access-list 102 permit host 100.100.100.100 60.60.60.0 0.0.0.255

crypto map VPN 5 ipsec-isakmp
match address 102


ROUTER2
int fa0/0
description OUTSIDE INTERFACE
ip add 5.5.5.5 255.255.255.0
crypto map VPN

int fa0/1
description INSIDE INTERFACE
ip add 60.60.60.60 255.255.255.0

crypto map VPN 5 ipsec-isakmp
match address 102

access-list 102 permit ip 60.60.60.0 0.0.0.255 host 100.100.100.100


Keep in mind you still need to have the significant traffic matched int the crypto map ACL in addition to the one that allows access to 100.100.100.100
0
 
LVL 6

Assisted Solution

by:Sanjeevloke
Sanjeevloke earned 250 total points
ID: 36541869
A question comes to my mind when a packet from outside 200.200.200.200 comes to access 10.10.10.10

that route-map wont work as ACL should be reverse.
ip access-list extended SNnat
permit ip host 200.200.200.200  host 10.10.10.10....

U r scenario is bit confusing ..i will suggest u to create a GRE tunnel over ipsec and then directly route the traffic over GRE...
0
 

Assisted Solution

by:trojan81
trojan81 earned 0 total points
ID: 36543786
I apologize, I didn't explain it correctly and I made a mistake on stating what the encryption domain is:
Local: 60.60.60.60
Remote: 200.200.200.200

I solved the problem. I had to use a different route-map.

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap2 extendable

route-map SNmap2 permit 10
 match ip address SNnat2

ip access-list extended SNnat2
permit ip host 200.200.200.200 host 60.60.60.60

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  
0
 

Author Closing Comment

by:trojan81
ID: 36565453
.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question