Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
Route Map in NAT
Cyanic
I have a configuration that uses a route map in a NAT command. I am not sure why it was put in or what it does if anything. Does this make sense?
interface GigabitEthernet0/0
ip address 174.x.y.z 255.255.255.240 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map nonat
!
interface GigabitEthernet0/1
ip address 209.x.y.z 255.255.255.224
ip nat outside
ip nat pool natpool-1 209.x.y.a 209.x.y.b netmask 255.255.255.2
24
ip nat inside source list 100 pool natpool-1 overload
ip nat inside source route-map nonat pool natpool-1
ip nat inside source static 10.0.0.23 209.x.y.c
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 174.x.y.z 0.0.0.15 any
access-list 125 permit ip 10.0.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 125 permit ip 10.0.0.0 0.0.0.255 192.168.200.0 0.0.0.255
route-map nonat permit 15
match ip address 125
set ip next-hop 172.30.2.2
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
kryolla
your doing policy routing as traffic comes into G0/0 going to destinations in the ACL and you are sending the traffic to 172.30.2.2 bypassing the IPV4 routing table
ALso doing NAT as traffic comes into G0/0 and out G0/1 i.e 10. network is getting translated to 209. network
Whatever is getting policy routed is not translated and the rest is
Dont quote me on this though
Cyanic
So I guess I am wondering why the route map is used in 2 places.
I sounds like I could remove
ip nat inside source route-map nonat pool natpool-1
as this is not used as the route-map traffic is being diverted by the route-map policy.
kryolla
It makes sense that it would be using the other nat command but if this is in a production network I would asked somebody else or do it at your own risk. Nice little disclaimer huh
ip nat inside source list 100 pool natpool-1 overload
Cyanic
This is from a production router in my parent company. I am a contractor, so I dont work on their stuff, but their IT asked me to help them stop the 174.x.y.z network from getting NATed. That was easy, but looking over the config, this just stuck me as odd. I think we will just leave it alone, until I can lab test what exactly it does.
Thanks Kryolloa!
kryolla
look at the translation table and see if it is doing overload and if it is then you are using the nat command with the ACL and just remove the permit 174 statement and it wont be translated.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
