Monday, August 18, 2008

NAT - Policy NAT with route-maps

Here is the topology. I use this for a lot of NAT scenarios. I have a dynamips file all ready to go for it :) The frame-relay network is 172.12.123.x where x is the router number. You can use whatever internal routing method you want.


Requirements:

When R5 telnets to 172.12.123.1 it should go through R2.
When R5 telnets to 172.12.123.1 port 3001 it should go through R3.

We will look at our NAT translations on R4 to verify.

First set up your outside interfaces (R4 to R2,R3) and inside interface (R4 to R5).

Next create an ACL top match out two types of traffic:

R4(config)#access-list 102 permit tcp host 172.12.45.5 host 172.12.123.1 eq telnet
R4(config)#access-list 103 permit tcp host 172.12.45.5 host 172.12.123.1 eq 3001


Next create your route-maps. F0/0 is connects R4 to R2, F2/0 connects R4 to R3:

route-map gotoR2
match ip address 102
set interface f0/0

route-map gotoR3
match ip address 103
set interface f2/0


Now create your NAT rules:

R4(config)#ip nat inside source route-map gotoR2 interface f0/0
R4(config)#ip nat inside source route-map gotoR3 interface f2/0


Let's head to R5 and do the telnet:

R5#telnet 172.12.123.1
Trying 172.12.123.1 ... Open


User Access Verification

Password:
R1>exit


Now check R4:

R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.24.4:16208 172.12.45.5:16208 172.12.123.1:23 172.12.123.1:23


Perfect. Now let's head back to R5 and telnet to port 3001 (remember to set up a rotary line on R1's vty)

R5#telnet 172.12.123.1 3001
Trying 172.12.123.1, 3001 ... Open


User Access Verification

Password:
R1>


R4 we now see both translations. Notice the port numbers. Cisco calls these "fully extended" translation entries.

R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.24.4:16208 172.12.45.5:16208 172.12.123.1:23 172.12.123.1:23
tcp 172.12.34.4:29692 172.12.45.5:29692 172.12.123.1:3001 172.12.123.1:3001


Not too bad, eh? NAT is still pretty initmadating for me. I can get easy scenarios out of the way, but some examples such as this still have the potential to cause me trouble. Hopefully, by practicing and doing these scenarios without any help, I can get it down pat...pun intended :)

2 comments:

  1. Great job. It definitely helps.

    ReplyDelete
  2. I am not sure that your output interface is set based on the set statement in the route-map. I think the set interface is ignored for the purposes of NAT, and the source IP address of traffic is selected by interface line in the ip nat statement.

    In other words, NAT correctly sets the source IP of traffic to the address of a specific interface, but that traffic will be forwarded out via routing. You could be forwarding traffic NATed to the IP of Fa0/0 out the Fa2/0 interface (and could receive responses on either interface, depending on routing).

    ReplyDelete

Note: Only a member of this blog may post a comment.