Hi,
Thanks for your reply
I know the route-map is to identify the traffic. Sso with this NAT rule it
should NOT nat anything. But is does. I can ping 10.15.105.12 from R5 and
R1. But the Nat rule wasn't working right with a deny any. How come I can
ping 10.15.105.12? I used the NAT rule with a route-map to select some
traffice but it seems the NAT rule is doing something else. If if select
only one netwerk it NATs every network the right way.
The issue I had is that I needed both addresses reachable and reply from the
same adres. So with a simple static inside nat if you ping 10.130.208.211 it
replies with the natted adres 10.15.105.12. Most connections of application
can't deal with that. So I implemented a route-map in which I can select the
networks. If I made a route-map and only selected 10.15.243.0/24 it als
natted 10.15.98.0/24 both synchronous replies. So then I tried with a deny
any and yes as I expected its still nating to all networks and synchronous.
But I can't figure out why this is the case. I thought indeed NAT did not
work with a route-map deny any. But it seems it did.
Debugging says its natting all the right way debugging icmp packets I see
both syncronous replys, so a ping to 105.12 replies with 105.12 and ping yo
208.211 replies with 211.
So my question basicly is what is this route-map doing in the NAt rule
because it should deny everything so nothing should be translated. But it
does everything is natted
Kind regards,
Maarten Vervoorn
http://ccie.forumotion.com
2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
> Sorry about the delay... What are the debugs saying?
>
> I am having a hard time following exactly what you are trying to do but I
> do have a question or two.
>
> With your route-map statement, you have an ACL that denies everything. Now,
> with your route-map on the nat translation it is just telling it to not
> translate anything. Now when you remove the route-map statement it should
> now be doing the NAT translations.
>
> I could be wrong but I think you are using the route-map the incorrect way.
> The route-map is meant to identify traffic that you want to translate, if it
> doesnt match the route-map it wont be translated if it does then it will.
>
>
> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>
> Yes I have, and if had hadn't it wouldn't work. I forgot to copy this. It
> works perfectly I only do not understand why. The route-maps denies
> everything. I'm able to ping from the outside routers the NAT adres
> 10.15.105.12 and it even replies from that Natted addres. Its exactly what I
> want. But if I remove the route-map If I ping 10.130.208.211 it will reply
> from 10.15.105.12. If I add the route-map it replies with 208.211 and also
> replies to 105.12
> What does this route-map excactly do here?
>
> interface Loopback1
> ip address 10.15.105.1 255.255.255.0
> ip nat outside
> interface FastEthernet0/0
> ip address 10.15.98.1 255.255.255.0
> ip nat outside
> interface Serial1/0
> ip address 10.130.208.254 255.255.255.128
> ip nat inside
>
>
> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>
>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I dont
>> see it there?
>>
>>
>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>>
>> > During a lab setup I encounterd on a strange behaviour.
>> >
>> > Lab setup
>> > S0/1 Fa0/0
>> > R1--------------R3---------------R5----------R1
>> >
>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>> > I want both addresses to be reachable and synchronous (ping 105.12 and
>> > receive a reply from 105.12, ping 208.211 and a receive a reply form
>> > 208.211)
>> > After some configurations I configurated a route-map with a deny any
>> > statement. Both 105.12 and 208.211 are reachable and reply synchronous.
>> But
>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply form
>> > 105.12 because the route-map has a deny any.
>> >
>> > Can anyone clarify this?
>> >
>> > Config R3
>> > interface Loopback1
>> > ip address 10.15.105.1 255.255.255.0
>> > !
>> > interface FastEthernet0/0
>> > ip address 10.15.98.1 255.255.255.0
>> > !
>> > interface Serial1/0
>> > ip address 10.130.208.254 255.255.255.128
>> > !
>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map test
>> > !
>> > ip access-list standard NAT
>> > deny any
>> > !
>> > logging alarm informational
>> > access-list 100 permit icmp any any
>> > !
>> > route-map test permit 10
>> > match ip address NAT
>> > !
>> > !
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri May 21 2010 - 21:59:39 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART