route-map / ACL not working for Static NAT on Cisco 2911 Router

I have a static NAT configure for my Video Conferencing equipment on my Cisco 2911 router.  See below configuration:  Its the only static NAT in the configuration:

Cisco_2911_Router#show run
Building configuration...

Current configuration : 3367 bytes
!
! Last configuration change at 16:08:20 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_2911_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.30
!
ip dhcp pool LAN
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server x.x.28.11 x.x.29.11
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL163010BB
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.130
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CTI 1 ipsec-isakmp
 set peer x.x.x.130
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.64.154 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map CTI
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map CTI interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO
ip route 0.0.0.0 0.0.0.0 x.x.64.153
!
ip access-list standard acl_snmp_access
 permit x.x.x.139
!
ip access-list extended VIDEO
 permit tcp host 192.168.10.9 eq 1720 any
 permit tcp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 eq 5061 any
 permit udp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 range 60000 64999 any
 permit udp host 192.168.10.9 range 60000 64999 any
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
!
route-map VIDEO permit 10
 match ip address VIDEO
!
route-map CTI permit 1
 match ip address 101
!
route-map nonat permit 10
!
!
snmp-server group SNMP_RO_GROUP v3 auth read SNMP_VIEW_RO access acl_snmp_access
snmp-server view SNMP_VIEW_RO internet included
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end

The video conferencing support tells me the only ports that need to be open are the ones I defined in the VIDEO ACL, but its not working.  Users have video conferencing software installed on their laptop and they cannot connect.  If I remove the static NAT as it looks above:

no ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

and then enter it without the route-map like below they can connect

ip nat inside source static 192.168.10.9 x.x.64.155

What can I do to see what's going on when they are trying to connect when the route map is associated with the static NAT and not working?  Thanks
LVL 4
denver218Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gfbarronCommented:
Hey,

To me it sounds like you have configured the ACL to allow the ports you need.  You also need to forward the ports to the device IP you are looking to use.

G
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gfbarronCommented:
Example:

ip nat inside source static tcp 10.0.0.166 21 203.115.0.201 21 extendable
0
denver218Author Commented:
Can you please explain a little further?  I have the following static NAT:

ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

If I modify it to look like you have above it no longer has the route-map associated to it.  Am I missing something?  Thanks for you help!
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Steven CarnahanNetwork ManagerCommented:
What shows up in the log when it isn't working?

en
<password>
sh log

Look to see if the person attempting to connect is actually using one of the ports you have in the ACL.
0
denver218Author Commented:
There are no hits on the ACL which is weird.  The log just show my vty connection when I was configuring it.  there is nothing in there show a connection attempt.  Every time I take the route-map off the static NAT it works through.  I'm not sure what is happening.
0
Steven CarnahanNetwork ManagerCommented:
Break down:

Static NAT:

ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

This uses the route-map:

route-map VIDEO permit 10
 match ip address VIDEO

which uses the ACL:

ip access-list extended VIDEO
 permit tcp host 192.168.10.9 eq 1720 any
 permit tcp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 eq 5061 any
 permit udp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 range 60000 64999 any
 permit udp host 192.168.10.9 range 60000 64999 any


The only thing I see that I would change would be the sequence number in the route-map from 10 to 5 since it conflicts with:

 route-map nonat permit 10
0
denver218Author Commented:
I changed the sequence number and its still not working.  As soon as I take the route-map VIDEO of the static NAT it works.  I don't know what I'm missing.
0
Craig BeckCommented:
You need to set the interface in the route-map.

route-map CTI permit 1
 match ip address 101
 set ip next-hop x.x.64.153
0
denver218Author Commented:
craigbeck the route-map you specify above is for "NONAT" for a site-to-site VPN.  This works fine.  I'm having a problem with route-map VIDEO.
0
Craig BeckCommented:
Ok, try this then...

route-map VIDEO permit 10
 match ip address VIDEO
 set ip next-hop x.x.64.153
0
denver218Author Commented:
That still does not work.  I even added a permit ip any any to the VIDEO ACL and this even doesn't work.  They only way to get it to work is if I take the route-map off of the static NAT.  Any other ideas?
0
denver218Author Commented:
So since this isn't working, how can I view the connection attempt on the router to see whats happening when I do have the route-map applied on the static NAT?
0
denver218Author Commented:
It seems to be a bug in all Cisco IOS's.  You cannot have a route-map associated with an ACL that uses a range of ports on a static NAT when you have a crypto map applied to the outside interface.  After pondering over this for a couple days, I called Cisco TAC.  I ended up just creating an ACL and applying it to gi0/0 instead of doing it via a route-map.  This solved the problem.  They said there is no fix for it in any IOS.
0
denver218Author Commented:
Thanks for your help trying to solve the problem.  The solution is in my last comment.
0
Steven CarnahanNetwork ManagerCommented:
That is good to know.  I was able to follow the logic and it was sound however we have not run into that situation.  I will keep it in mind for the future though.  :)
0
gfbarronCommented:
Good to know, saved to my KB

Take care!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.