Re: NAT issue

Are you trying to get the traffic to take different paths? The
route-map statement with static NAT is used to influence path
selection.

On your route-map you have a deny any but no action after that, so
that route map matches no traffic and does not change anything. In
other words contines as default behavior which is to translate.

Check out:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

I dont clearly understand what you are trying to accomplish?

On Fri, May 21, 2010 at 4:11 PM, Adrian Brayton <abrayton_at_gmail.com> wrote:
> Are the address's that you are pinging in the routing table? What I am trying
> to say is, is this one big IGP? The address that you are pinging should not be
> in the routing table of the router you are using to ping?
>
> Is that what is possibly happening?
>
>
> On May 21, 2010, at 3:59 PM, Maarten Vervoorn wrote:
>
>> Hi,
>>
>> Thanks for your reply
>>
>> I know the route-map is to identify the traffic. Sso with this NAT rule it
> should NOT nat anything. But is does. I can ping 10.15.105.12 from R5 and R1.
> But the Nat rule wasn't working right with a deny any. How come I can ping
> 10.15.105.12? I used the NAT rule with a route-map to select some traffice but
> it seems the NAT rule is doing something else. If if select only one netwerk
> it NATs every network the right way.
>>
>> The issue I had is that I needed both addresses reachable and reply from the
> same adres. So with a simple static inside nat if you ping 10.130.208.211 it
> replies with the natted adres 10.15.105.12. Most connections of application
> can't deal with that. So I implemented a route-map in which I can select the
> networks. If I made a route-map and only selected 10.15.243.0/24 it als natted
> 10.15.98.0/24 both synchronous replies. So then I tried with a deny any and
> yes as I expected its still nating to all networks and synchronous. But I
> can't figure out why this is the case. I thought indeed NAT did not work with
> a route-map deny any. But it seems it did.
>>
>> Debugging says its natting all the right way debugging icmp packets I see
> both syncronous replys, so a ping to 105.12 replies with 105.12 and ping yo
> 208.211 replies with 211.
>>
>> So my question basicly is what is this route-map doing in the NAt rule
> because it should deny everything so nothing should be translated. But it does
> everything is natted
>>
>> Kind regards,
>>
>> Maarten Vervoorn
>> http://ccie.forumotion.com
>>
>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>> Sorry about the delay... What are the debugs saying?
>>
>> I am having a hard time following exactly what you are trying to do but I do
> have a question or two.
>>
>> With your route-map statement, you have an ACL that denies everything. Now,
> with your route-map on the nat translation it is just telling it to not
> translate anything. Now when you remove the route-map statement it should now
> be doing the NAT translations.
>>
>> I could be wrong but I think you are using the route-map the incorrect way.
> The route-map is meant to identify traffic that you want to translate, if it
> doesnt match the route-map it wont be translated if it does then it will.
>>
>>
>> On May 21, 2010, at 9:12 AM, Maarten Vervoorn wrote:
>>
>>> Yes I have, and if had hadn't it wouldn't work. I forgot to copy this. It
> works perfectly I only do not understand why. The route-maps denies
> everything. I'm able to ping from the outside routers the NAT adres
> 10.15.105.12 and it even replies from that Natted addres. Its exactly what I
> want. But if I remove the route-map If I ping 10.130.208.211 it will reply
> from 10.15.105.12. If I add the route-map it replies with 208.211 and also
> replies to 105.12
>>> What does this route-map excactly do here?
>>>
>>> interface Loopback1
>>> ip address 10.15.105.1 255.255.255.0
>>> ip nat outside
>>> interface FastEthernet0/0
>>> ip address 10.15.98.1 255.255.255.0
>>> ip nat outside
>>> interface Serial1/0
>>> ip address 10.130.208.254 255.255.255.128
>>> ip nat inside
>>>
>>>
>>> 2010/5/21 Adrian Brayton <abrayton_at_gmail.com>
>>> Do you have "ip nat inside" "ip nat outside" on your interfaces? I dont see
> it there?
>>>
>>>
>>> On May 21, 2010, at 8:53 AM, Maarten Vervoorn wrote:
>>>
>>> > During a lab setup I encounterd on a strange behaviour.
>>> >
>>> > Lab setup
>>> > S0/1 Fa0/0
>>> > R1--------------R3---------------R5----------R1
>>> >
>>> > R3 is a nat router which nat 10.130.208.211 to 105.12
>>> > I want both addresses to be reachable and synchronous (ping 105.12 and
>>> > receive a reply from 105.12, ping 208.211 and a receive a reply form
>>> > 208.211)
>>> > After some configurations I configurated a route-map with a deny any
>>> > statement. Both 105.12 and 208.211 are reachable and reply synchronous.
> But
>>> > I do not know why if I ping 105.12 from R5 or R1 i receive a reply form
>>> > 105.12 because the route-map has a deny any.
>>> >
>>> > Can anyone clarify this?
>>> >
>>> > Config R3
>>> > interface Loopback1
>>> > ip address 10.15.105.1 255.255.255.0
>>> > !
>>> > interface FastEthernet0/0
>>> > ip address 10.15.98.1 255.255.255.0
>>> > !
>>> > interface Serial1/0
>>> > ip address 10.130.208.254 255.255.255.128
>>> > !
>>> > ip nat inside source static 10.130.208.211 10.15.105.12 route-map test
>>> > !
>>> > ip access-list standard NAT
>>> > deny any
>>> > !
>>> > logging alarm informational
>>> > access-list 100 permit icmp any any
>>> > !
>>> > route-map test permit 10
>>> > match ip address NAT
>>> > !
>>> > !
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 21 2010 - 16:37:52 ART