Solved

IOS router route-map

Posted on 2011-09-14
7
503 Views
Last Modified: 2012-05-12
Hi experts,

In a IOS router (2621 router on 12.2 code):

I currently have a route-map to do an inside address translation.
Would I be able to use that same route-map to do an outside address translation?

Example:

ip nat inside source static 10.10.10.10 60.60.60.60 route-map SNmap extendable

route-map SNmap permit 10
 match ip address SNnat

ip access-list extended SNnat
permit ip host 10.10.10.10 host 200.200.200.200

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  

What I am trying to accomplish with this outside translation is when the remote side's 200.200.200.200 comes into my network to access 60.60.60.60, it changes to source from 100.100.100.100.
0
Comment
Question by:trojan81
  • 3
  • 3
7 Comments
 

Author Comment

by:trojan81
ID: 36540619
Forgot to mention this is an IPSEC tunnnel.
Encryption domain is:
Local: 10.10.10.10
Remote: 200.200.200.200

I'm trying to do source and destination NATing.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541176
could you please post a network diagram with interfaces and IP addresses of how you would like this to work.

thanks
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36541212
Also have you configured ip nat inside and ip nat outside on the correct interfaces?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
ID: 36541772
Here is a possible setup you could use:

ROUTER1 ===== INTERNET ===== ROUTER2

ROUTER1
int fa0/0
description OUTSIDE INTERFACE
ip add 1.1.1.1 255.255.255.0
crypto map VPN
ip nat outside

int fa0/1
description INSIDE INTERFACE
ip add 200.200.200.200 255.255.255.0
ip nat inside

ip nat pool POOL 100.100.100.100 100.100.100.100 netmask 255.255.255.0
ip nat inside source list 101 pool POOL overload

access-list 101 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255

access-list 102 permit ip 200.200.200.0 0.0.0.255 60.60.60.0 0.0.0.255
access-list 102 permit host 100.100.100.100 60.60.60.0 0.0.0.255

crypto map VPN 5 ipsec-isakmp
match address 102


ROUTER2
int fa0/0
description OUTSIDE INTERFACE
ip add 5.5.5.5 255.255.255.0
crypto map VPN

int fa0/1
description INSIDE INTERFACE
ip add 60.60.60.60 255.255.255.0

crypto map VPN 5 ipsec-isakmp
match address 102

access-list 102 permit ip 60.60.60.0 0.0.0.255 host 100.100.100.100


Keep in mind you still need to have the significant traffic matched int the crypto map ACL in addition to the one that allows access to 100.100.100.100
0
 
LVL 6

Assisted Solution

by:Sanjeevloke
Sanjeevloke earned 250 total points
ID: 36541869
A question comes to my mind when a packet from outside 200.200.200.200 comes to access 10.10.10.10

that route-map wont work as ACL should be reverse.
ip access-list extended SNnat
permit ip host 200.200.200.200  host 10.10.10.10....

U r scenario is bit confusing ..i will suggest u to create a GRE tunnel over ipsec and then directly route the traffic over GRE...
0
 

Assisted Solution

by:trojan81
trojan81 earned 0 total points
ID: 36543786
I apologize, I didn't explain it correctly and I made a mistake on stating what the encryption domain is:
Local: 60.60.60.60
Remote: 200.200.200.200

I solved the problem. I had to use a different route-map.

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap2 extendable

route-map SNmap2 permit 10
 match ip address SNnat2

ip access-list extended SNnat2
permit ip host 200.200.200.200 host 60.60.60.60

ip nat outside source static 200.200.200.200 100.100.100.100 route-map SNmap  
0
 

Author Closing Comment

by:trojan81
ID: 36565453
.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Do we have to disable HA before using "Force to standby" in F5 2 27
Network Config 9 59
EIGRP Summary 2 33
Server Room Hardware 5 50
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now