Start Free TrialLog in
Avatar of denver218
denver218Flag for United States of America

asked on 

route-map / ACL not working for Static NAT on Cisco 2911 Router

I have a static NAT configure for my Video Conferencing equipment on my Cisco 2911 router.  See below configuration:  Its the only static NAT in the configuration:

Cisco_2911_Router#show run
Building configuration...

Current configuration : 3367 bytes
!
! Last configuration change at 16:08:20 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_2911_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.30
!
ip dhcp pool LAN
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server x.x.28.11 x.x.29.11
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL163010BB
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.130
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CTI 1 ipsec-isakmp
 set peer x.x.x.130
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.64.154 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map CTI
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map CTI interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO
ip route 0.0.0.0 0.0.0.0 x.x.64.153
!
ip access-list standard acl_snmp_access
 permit x.x.x.139
!
ip access-list extended VIDEO
 permit tcp host 192.168.10.9 eq 1720 any
 permit tcp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 eq 5061 any
 permit udp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 range 60000 64999 any
 permit udp host 192.168.10.9 range 60000 64999 any
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
!
route-map VIDEO permit 10
 match ip address VIDEO
!
route-map CTI permit 1
 match ip address 101
!
route-map nonat permit 10
!
!
snmp-server group SNMP_RO_GROUP v3 auth read SNMP_VIEW_RO access acl_snmp_access
snmp-server view SNMP_VIEW_RO internet included
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end

The video conferencing support tells me the only ports that need to be open are the ones I defined in the VIDEO ACL, but its not working.  Users have video conferencing software installed on their laptop and they cannot connect.  If I remove the static NAT as it looks above:

no ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

and then enter it without the route-map like below they can connect

ip nat inside source static 192.168.10.9 x.x.64.155

What can I do to see what's going on when they are trying to connect when the route map is associated with the static NAT and not working?  Thanks
RoutersCisco
Avatar of undefined
Last Comment
gfbarron
ASKER CERTIFIED SOLUTION
Avatar of gfbarron
gfbarron
Flag of Canada image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of gfbarron
gfbarron
Flag of Canada image
Example:

ip nat inside source static tcp 10.0.0.166 21 203.115.0.201 21 extendable
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Can you please explain a little further?  I have the following static NAT:

ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

If I modify it to look like you have above it no longer has the route-map associated to it.  Am I missing something?  Thanks for you help!
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image
What shows up in the log when it isn't working?

en
<password>
sh log

Look to see if the person attempting to connect is actually using one of the ports you have in the ACL.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

There are no hits on the ACL which is weird.  The log just show my vty connection when I was configuring it.  there is nothing in there show a connection attempt.  Every time I take the route-map off the static NAT it works through.  I'm not sure what is happening.
SOLUTION
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I changed the sequence number and its still not working.  As soon as I take the route-map VIDEO of the static NAT it works.  I don't know what I'm missing.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
You need to set the interface in the route-map.

route-map CTI permit 1
 match ip address 101
 set ip next-hop x.x.64.153
Avatar of denver218
denver218
Flag of United States of America image

ASKER

craigbeck the route-map you specify above is for "NONAT" for a site-to-site VPN.  This works fine.  I'm having a problem with route-map VIDEO.
SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of denver218
denver218
Flag of United States of America image

ASKER

That still does not work.  I even added a permit ip any any to the VIDEO ACL and this even doesn't work.  They only way to get it to work is if I take the route-map off of the static NAT.  Any other ideas?
Avatar of denver218
denver218
Flag of United States of America image

ASKER

So since this isn't working, how can I view the connection attempt on the router to see whats happening when I do have the route-map applied on the static NAT?
Avatar of denver218
denver218
Flag of United States of America image

ASKER

It seems to be a bug in all Cisco IOS's.  You cannot have a route-map associated with an ACL that uses a range of ports on a static NAT when you have a crypto map applied to the outside interface.  After pondering over this for a couple days, I called Cisco TAC.  I ended up just creating an ACL and applying it to gi0/0 instead of doing it via a route-map.  This solved the problem.  They said there is no fix for it in any IOS.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Thanks for your help trying to solve the problem.  The solution is in my last comment.
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image
That is good to know.  I was able to follow the logic and it was sound however we have not run into that situation.  I will keep it in mind for the future though.  :)
Avatar of gfbarron
gfbarron
Flag of Canada image
Good to know, saved to my KB

Take care!
Routers
Routers

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent