<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi All<br>
<br>
Had a couple of people ask for problem resolution summary for
archiving purposes. It was not a problem as such, more a situation
where I hadn't come across this specific configuration before. I'm
not comfortable with having the specific config example I had
archived, but these examples should suffice.<br>
<br>
Essentially we had lines of config like this:<br>
<br>
ip nat inside source static tcp INSIDEIP INSIDEPORT OUTSIDEIP
OUTSIDEPORT route-map ROUTEMAP extendable<br>
<br>
route-map ROUTEMAP permit 10<br>
match ip address 108<br>
match interface Gi0/1<br>
<br>
Access-list 108 is your choice of any entries comprised of private
subnets as 'source' with destinations to (any)where. (either
private or public destinations).<br>
<br>
This is the part where I add my disclaimer and say I didn't design
this:<br>
<br>
The goal was to figure out what exactly that route-map was
achieving. In this case, we have a bunch of segregated VLANs for
separate clients, and it seems to have been decided that at no
point are they allowed to communicate using the internal network.
This means that if you're on one VLAN and need to access a
resource on the other, the client must exit the network on their
dedicated Public IP Address and then come back through to the
other client's Public IP Address. Seems messy to me but at the
same time, it's working and that's all it needs to do.<br>
<br>
Typically this kind of configuration is used to force NATd traffic
out a specific WAN interface in the case of a multi-homed router
as many people have informed me over the past few days. The other
common use case seems to be on ASA's where NONAT configuration on
VPN's is required. In my case, it is technically the first use
case, however the access-list 108 was used for multiple purposes
which made interpreting it's function difficult (for me) in the
context of that route-mapped NAT translation.<br>
<br>
<br>
In my opinion, Cisco TAC didn't work on this router, and whoever
has really did a number on this one and I can't help but feel
there were far better ways to achieve this than with VLAN
segregation and NAT route-maps, etc. I'm not sure if any of you
share my opinion but I feel this would be better handled using VRF
with some leaked routes as necessary?<br>
<br>
My main concern is making this configuration scalable, which at
the moment I do not think it will scale easily at all. Guess
that's the fun part though!<br>
<br>
- Jacob<br>
<br>
<br>
On 29/11/2013 4:44 PM, Jacob Bisby wrote:<br>
</div>
<blockquote cite="mid:529853EC.2080500@jdmnet.com.au" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<font size="-1"><font face="Arial">Hi All<br>
<br>
Looking for someone to ping me off-list - just need some quick
assistance / QA with some Cisco NAT / route-map config, have
found some config which I can't find any documented examples
of and I'm not entirely sure what it's achieving.<br>
<br>
Thanks in advance<br>
<br>
- Jacob<br>
</font></font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>