troubleshooting Question

route-map / ACL not working for Static NAT on Cisco 2911 Router

Avatar of denver218
denver218Flag for United States of America asked on
RoutersCisco
16 Comments1 Solution2521 ViewsLast Modified:
I have a static NAT configure for my Video Conferencing equipment on my Cisco 2911 router.  See below configuration:  Its the only static NAT in the configuration:

Cisco_2911_Router#show run
Building configuration...

Current configuration : 3367 bytes
!
! Last configuration change at 16:08:20 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
! NVRAM config last updated at 15:16:44 EDT Tue Aug 27 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_2911_Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
clock timezone est -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.30
!
ip dhcp pool LAN
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server x.x.28.11 x.x.29.11
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FGL163010BB
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.130
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CTI 1 ipsec-isakmp
 set peer x.x.x.130
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.64.154 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map CTI
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map CTI interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO
ip route 0.0.0.0 0.0.0.0 x.x.64.153
!
ip access-list standard acl_snmp_access
 permit x.x.x.139
!
ip access-list extended VIDEO
 permit tcp host 192.168.10.9 eq 1720 any
 permit tcp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 eq 5061 any
 permit udp host 192.168.10.9 eq 5060 any
 permit tcp host 192.168.10.9 range 60000 64999 any
 permit udp host 192.168.10.9 range 60000 64999 any
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
!
route-map VIDEO permit 10
 match ip address VIDEO
!
route-map CTI permit 1
 match ip address 101
!
route-map nonat permit 10
!
!
snmp-server group SNMP_RO_GROUP v3 auth read SNMP_VIEW_RO access acl_snmp_access
snmp-server view SNMP_VIEW_RO internet included
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
end

The video conferencing support tells me the only ports that need to be open are the ones I defined in the VIDEO ACL, but its not working.  Users have video conferencing software installed on their laptop and they cannot connect.  If I remove the static NAT as it looks above:

no ip nat inside source static 192.168.10.9 x.x.64.155 route-map VIDEO

and then enter it without the route-map like below they can connect

ip nat inside source static 192.168.10.9 x.x.64.155

What can I do to see what's going on when they are trying to connect when the route map is associated with the static NAT and not working?  Thanks
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 16 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 16 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros