NAT with route-maps for two different destinations

4 Replies

Just say that we have these three sites connected to the main hub R1. R1 – R2 is running EIGRP 12 and R1 – R3 is running EIGRP 13. R1 – R4 runs no routing protocol and R4 uses default route pointing to R1 Fa2/0 interface 14.14.14.1.

Initial configuration below

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
 ip address 12.12.12.2 255.255.255.0
!
router eigrp 12
 network 0.0.0.0
 no auto-summary

hostname R3
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 33.33.33.33 255.255.255.255
!
interface FastEthernet0/0
 ip address 13.13.13.3 255.255.255.0
!
router eigrp 13
 network 0.0.0.0
 no auto-summary

hostname R1
!
interface FastEthernet0/0
 ip address 12.12.12.1 255.255.255.0
!
interface FastEthernet1/0
 ip address 13.13.13.1 255.255.255.0
!
interface FastEthernet2/0
 ip address 14.14.14.1 255.255.255.0
!
router eigrp 12
 network 12.12.12.1 0.0.0.0
 auto-summary
!
router eigrp 13
 network 13.13.13.1 0.0.0.0
 no auto-summary

hostname R4
!
interface FastEthernet0/0
 ip address 14.14.14.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 14.14.14.1

At this stage, SITE_A doesn’t know network 14.14.14.0/24 and SITE_B doesn’t know network 14.14.14.0/24 either. R4 won’t have reachability to SITE_A nor SITE_B.

Let introduce NAT on R1 by NAT-ing 14.14.14.0/24 to R1 f0/0 – 12.12.12.1.

ip access-list st ACL_14.14.14.0/24
 permit 14.14.14.0 0.0.0.255
!
ip nat inside source list ACL_14.14.14.0/24 interface f0/0 overload

This will give R4 reachbility to SITE_A.

R4#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/67/104 ms

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.12.12.1:5      14.14.14.4:5       2.2.2.2:5          2.2.2.2:5

Inside local address 14.14.14.0/24 being translated to 12.12.12.1 to reach 2.2.2.2. Since SITE_A has the routing information for 12.12.12.0/24, SITE_A is now able to send return traffic to 14.14.14.0/24.

What about SITE_B, can we do the same to R1 Fa1/0 like what we did to R1 Fa0/0?

In order to be able to NAT both Fa0/0 and Fa1/0, we cannot use standar ACL anymore. This can only be done via route-map and extended ACL.

ip access-list extended ACL_FROM_14.14.14.0/24_TO_SITE_A
 permit ip 14.14.14.0 0.0.0.255 host 2.2.2.2
 permit ip 14.14.14.0 0.0.0.255 host 22.22.22.22
 permit ip 14.14.14.0 0.0.0.255 12.12.12.0 0.0.0.255
! 
ip access-list extended ACL_FROM_14.14.14.0/24_TO_SITE_B
 permit ip 14.14.14.0 0.0.0.255 host 3.3.3.3
 permit ip 14.14.14.0 0.0.0.255 host 33.33.33.33
 permit ip 14.14.14.0 0.0.0.255 13.13.13.0 0.0.0.255
!
no route-map RM_FROM_14.14.14.0/24_TO_SITE_A permit 10
route-map RM_FROM_14.14.14.0/24_TO_SITE_A permit 10
 match ip address ACL_FROM_14.14.14.0/24_TO_SITE_A
!
no route-map RM_FROM_14.14.14.0/24_TO_SITE_B permit 10
route-map RM_FROM_14.14.14.0/24_TO_SITE_B permit 10
 match ip address ACL_FROM_14.14.14.0/24_TO_SITE_B
!
ip nat inside source route-map RM_FROM_14.14.14.0/24_TO_SITE_A interface FastEthernet0/0 overload
ip nat inside source route-map RM_FROM_14.14.14.0/24_TO_SITE_B interface FastEthernet1/0 overload
!
int f0/0
 ip nat outside
int f1/0
 ip nat outside
int f2/0
 ip nat inside

R4#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/69/80 ms
R4#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/68/92 ms

R1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.12.12.1:25     14.14.14.4:25      2.2.2.2:25         2.2.2.2:25
icmp 13.13.13.1:26     14.14.14.4:26      3.3.3.3:26         3.3.3.3:26

I’ve actually tried the combination of using two different route-maps with the same 1 standard ACL or the same 1 extended ACL. This just doesn’t work. The reason being is that the translation will need two distinct ACLs to differentiate between one translation exit point to another.

R1#sh ip nat tran verbose
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.12.12.1:31     14.14.14.4:31      3.3.3.3:31         3.3.3.3:31
    create 00:00:07, use 00:00:07 timeout:60000, left 00:00:52, Map-Id(In): 16,
    flags:
extended, use_count: 0, entry-id: 22, lc_entries: 0, Entry type : 0
icmp 12.12.12.1:32     14.14.14.4:32      2.2.2.2:32         2.2.2.2:32
    create 00:00:04, use 00:00:04 timeout:60000, left 00:00:55, Map-Id(In): 16,
    flags:
extended, use_count: 0, entry-id: 23, lc_entries: 0, Entry type : 0

For each NAT configuration statement ip nat inside source route-map RM_FROM_14.14.14.0/24_TO_SITE_A interface FastEthernet0/0 overload or ip nat inside source route-map RM_FROM_14.14.14.0/24_TO_SITE_B interface FastEthernet1/0 overload the NAT will generate a Map-Id. Having the same Map-Id for both exit points will only confuses the mapping.

The entry below, however, created when we use two route-maps with two different ACLs. It shows different Map-Id for each exit points.

R1#sh ip nat translations ver
Pro Inside global      Inside local       Outside local      Outside global
icmp 12.12.12.1:38     14.14.14.4:38      22.22.22.22:38     22.22.22.22:38
    create 00:00:17, use 00:00:17 timeout:60000, left 00:00:42, Map-Id(In): 16,
    flags:
extended, use_count: 0, entry-id: 28, lc_entries: 0
icmp 12.12.12.1:39     14.14.14.4:39      2.2.2.2:39         2.2.2.2:39
    create 00:00:14, use 00:00:14 timeout:60000, left 00:00:45, Map-Id(In): 16,
    flags:
extended, use_count: 0, entry-id: 29, lc_entries: 0
icmp 13.13.13.1:40     14.14.14.4:40      3.3.3.3:40         3.3.3.3:40
    create 00:00:11, use 00:00:11 timeout:60000, left 00:00:48, Map-Id(In): 17,
    flags:
extended, use_count: 0, entry-id: 30, lc_entries: 0
icmp 13.13.13.1:41     14.14.14.4:41      33.33.33.33:41     33.33.33.33:41
    create 00:00:07, use 00:00:07 timeout:60000, left 00:00:52, Map-Id(In): 17,
    flags:
extended, use_count: 0, entry-id: 31, lc_entries: 0

4 thoughts on “NAT with route-maps for two different destinations

  1. Jasvijay

    Is it possible to make two users in two locations but same subnet communicate using destination based NAT

  2. David Sudjiman Post author

    @Jasvijay, Yes. This is possible. Similar like having to network merger that happens to have the same subnet. You just need to get the dynamic NAT-ing in the middle but if it’s too complex, then you might need to run static NAT for the rest of the servers. You might also want to have a look for the possibility to run VRF.

  3. Jody Lemoine

    You can use the same ACL in both route maps, but you need to provide another factor to differentiate the traffic. Adding a “match interface” to the same permit entry in the route map does the trick. I typically do something like this:

    object-group network og-rfc1918
    10.0.0.0 /8
    172.16.0.0 /12
    192.168.0.0 /16
    !
    ip access-list extended acl-nat
    permit ip object-group og-rfc1918 any
    !
    route-map rm-site-a
    match ip address acl-nat
    match interface FastEthernet0/0
    !
    route-map rm-site-b
    match ip address acl-nat
    match interface FastEthernet1/0
    !
    ip nat inside source route-map rm-site-a interface FastEthernet0/0 overload
    ip nat inside source route-map rm-site-b interface FastEthernet1/0 overload

    This keeps things a bit simpler because the router can rely on the routing table to figure out which NAT table to use based on the destination rather than hard-coding the destination into the ACLs.

Leave a Reply