Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Cisco IOS : Using Route Maps to Refine Static Translation Rules

Using Route Maps to Refine Static Translation Rules

Jul 21,2008 by admin

small font medium font large font
image

Using Route Maps to Refine Static Translation Rules

Problem

You want to use route maps to give finer control over your static NAT translation rules.

Solution

One of the best uses of this feature appears when you have two Internet Provider connections and you want to use distinct NAT rules for each:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 172.16.2.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/2
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload
Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload
Router(config)#route-map ISP-1 permit 10
Router(config-route-map)#match interface FastEthernet0/0
Router(config-route-map)#exit
Router(config)#route-map ISP-2 permit 10
Router(config-route-map)#match interface FastEthernet0/1
Router(config-route-map)#exit
Router(config)#end
Router#

Discussion

This example shows a relatively common situation in which a network has two Internet connections for redundancy. Note that we don't show the redundancy mechanism here, but it could be handled by BGP, for example. There are three Fast Ethernet interfaces on this router, one for each of the two Internet Service Providers, and one for the internal network.

To understand the problem that we are looking at here, consider the standard ip nat inside source command that we used in Recipe 21.1:

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload

This rule translates the source address in all outbound packets to the address on one of the two external connections. As long as all of the traffic uses this particular interface, there is no problem, but then there's not much point in paying for the second connection. So consider what happens to any packets that are transmitted through the second connection when this rule is used. There are two possible consequences. The Internet Service Provider might accept the source address for the wrong network and forward the packet normally, and the return path from the destination might try to use the first Internet connection, which is bad because it might be down. Or, more likely, the second Internet provider will simply drop the packet because it appears to have a spoofed source address.

Instead, by using route maps in our ip nat command, we can specify two different rules, one for each of the two service providers:

Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload
Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload

The first line specifies that any packets matching the route map ISP-1 should have their source addresses changed to match the address on FastEthernet0/0. The second line specifies that packets matching the second route map should translate to the second interface's address.

The corresponding route maps simply match on the interfaces that interfaces that the router wants to forward these packets through:

Router(config)#route-map ISP-1 permit 10
Router(config-route-map)#match interface FastEthernet0/0
Router(config-route-map)#exit
Router(config)#route-map ISP-2 permit 10
Router(config-route-map)#match interface FastEthernet0/1
Router(config-route-map)#exit


390 times read

Related news
» Redistributing Routes into EIGRP Using Route Maps
by admin posted on Jul 21,2008
» Source-Based Policies
by alperen posted on Dec 01,2008
» Configuring Basic NAT Functionality
by admin posted on Jul 21,2008
» Type of service policies
by alperen posted on Dec 01,2008
» Type of Traffic Policies
by alperen posted on Dec 01,2008
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 2 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.