[AusNOG] Assistance needed with Cisco NAT & Route-maps

Jacob Bisby ausnog at jdmnet.com.au
Tue Dec 3 00:36:34 EST 2013 

Hi All

Had a couple of people ask for problem resolution summary for archiving 
purposes. It was not a problem as such, more a situation where I hadn't 
come across this specific configuration before. I'm not comfortable with 
having the specific config example I had archived, but these examples 
should suffice.

Essentially we had lines of config like this:

ip nat inside source static tcp INSIDEIP INSIDEPORT OUTSIDEIP 
OUTSIDEPORT route-map ROUTEMAP extendable

route-map ROUTEMAP permit 10
match ip address 108
match interface Gi0/1

Access-list 108 is your choice of any entries comprised of private 
subnets as 'source' with destinations to (any)where. (either private or 
public destinations).

This is the part where I add my disclaimer and say I didn't design this:

The goal was to figure out what exactly that route-map was achieving. In 
this case, we have a bunch of segregated VLANs for separate clients, and 
it seems to have been decided that at no point are they allowed to 
communicate using the internal network. This means that if you're on one 
VLAN and need to access a resource on the other, the client must exit 
the network on their dedicated Public IP Address and then come back 
through to the other client's Public IP Address. Seems messy to me but 
at the same time, it's working and that's all it needs to do.

Typically this kind of configuration is used to force NATd traffic out a 
specific WAN interface in the case of a multi-homed router as many 
people have informed me over the past few days. The other common use 
case seems to be on ASA's where NONAT configuration on VPN's is 
required. In my case, it is technically the first use case, however the 
access-list 108 was used for multiple purposes which made interpreting 
it's function difficult (for me) in the context of that route-mapped NAT 
translation.


In my opinion, Cisco TAC didn't work on this router, and whoever has 
really did a number on this one and I can't help but feel there were far 
better ways to achieve this than with VLAN segregation and NAT 
route-maps, etc. I'm not sure if any of you share my opinion but I feel 
this would be better handled using VRF with some leaked routes as necessary?

My main concern is making this configuration scalable, which at the 
moment I do not think it will scale easily at all. Guess that's the fun 
part though!

- Jacob


On 29/11/2013 4:44 PM, Jacob Bisby wrote:
> Hi All
>
> Looking for someone to ping me off-list - just need some quick 
> assistance / QA with some Cisco NAT / route-map config, have found 
> some config which I can't find any documented examples of and I'm not 
> entirely sure what it's achieving.
>
> Thanks in advance
>
> - Jacob
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131202/a54a0fbd/attachment.html>

More information about the AusNOG mailing list