Avatar of denver218
denver218Flag for United States of America asked on

route-map / ACL not working for Static NAT on Cisco 2911 Router

I have a static NAT configure for my Video Conferencing equipment on my Cisco 2911 router.  See below configuration:  Its the only static NAT in the configuration:

Cisco_2911_Router#show run
Building configuration...

Current configuration : 3367 bytes
!
! Last configuration change at 16:08:20 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_2911_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.30
!
ip dhcp pool LAN
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server x.x.28.11 x.x.29.11
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL163010BB
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.130
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CTI 1 ipsec-isakmp
 set peer x.x.x.130
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.64.154 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map CTI
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map CTI interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO
ip route 0.0.0.0 0.0.0.0 x.x.64.153
!
ip access-list standard acl_snmp_access
 permit x.x.x.139
!
ip access-list extended VIDEO
 permit tcp host 192.168.10.9 eq 1720 any
 permit tcp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 eq 5061 any
 permit udp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 range 60000 64999 any
 permit udp host 192.168.10.9 range 60000 64999 any
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
!
route-map VIDEO permit 10
 match ip address VIDEO
!
route-map CTI permit 1
 match ip address 101
!
route-map nonat permit 10
!
!
snmp-server group SNMP_RO_GROUP v3 auth read SNMP_VIEW_RO access acl_snmp_access
snmp-server view SNMP_VIEW_RO internet included
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end

The video conferencing support tells me the only ports that need to be open are the ones I defined in the VIDEO ACL, but its not working.  Users have video conferencing software installed on their laptop and they cannot connect.  If I remove the static NAT as it looks above:

no ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

and then enter it without the route-map like below they can connect

ip nat inside source static 192.168.10.9 x.x.64.155

What can I do to see what's going on when they are trying to connect when the route map is associated with the static NAT and not working?  Thanks
RoutersCisco

Avatar of undefined
Last Comment
gfbarron

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
gfbarron

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
gfbarron

Example:

ip nat inside source static tcp 10.0.0.166 21 203.115.0.201 21 extendable
ASKER
denver218

Can you please explain a little further?  I have the following static NAT:

ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

If I modify it to look like you have above it no longer has the route-map associated to it.  Am I missing something?  Thanks for you help!
Steven Carnahan

What shows up in the log when it isn't working?

en
<password>
sh log

Look to see if the person attempting to connect is actually using one of the ports you have in the ACL.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
denver218

There are no hits on the ACL which is weird.  The log just show my vty connection when I was configuring it.  there is nothing in there show a connection attempt.  Every time I take the route-map off the static NAT it works through.  I'm not sure what is happening.
SOLUTION
Steven Carnahan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
denver218

I changed the sequence number and its still not working.  As soon as I take the route-map VIDEO of the static NAT it works.  I don't know what I'm missing.
Craig Beck

You need to set the interface in the route-map.

route-map CTI permit 1
 match ip address 101
 set ip next-hop x.x.64.153
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
denver218

craigbeck the route-map you specify above is for "NONAT" for a site-to-site VPN.  This works fine.  I'm having a problem with route-map VIDEO.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
denver218

That still does not work.  I even added a permit ip any any to the VIDEO ACL and this even doesn't work.  They only way to get it to work is if I take the route-map off of the static NAT.  Any other ideas?
ASKER
denver218

So since this isn't working, how can I view the connection attempt on the router to see whats happening when I do have the route-map applied on the static NAT?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
denver218

It seems to be a bug in all Cisco IOS's.  You cannot have a route-map associated with an ACL that uses a range of ports on a static NAT when you have a crypto map applied to the outside interface.  After pondering over this for a couple days, I called Cisco TAC.  I ended up just creating an ACL and applying it to gi0/0 instead of doing it via a route-map.  This solved the problem.  They said there is no fix for it in any IOS.
ASKER
denver218

Thanks for your help trying to solve the problem.  The solution is in my last comment.
Steven Carnahan

That is good to know.  I was able to follow the logic and it was sound however we have not run into that situation.  I will keep it in mind for the future though.  :)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
gfbarron

Good to know, saved to my KB

Take care!