Route Maps & ACLs 1

[steveredman]

Good morning,

Could someone try to explain to me how route maps are meant to be used in the situation where VPN and NAT co-exist?

I have a NAT rule as follows;-

ip nat inside source static tcp 10.0.0.6 443 x.x.x.x 443 route-map SDM_RMAP_1 extendable

Then later on this;-

route-map SDM_RMAP_1 permit 1
match ip address 126

And also this;-

access-list 126 remark 10.0.0.6
access-list 126 remark SDM_ACL Category=2
access-list 126 deny ip any 192.168.1.0 0.0.0.255
access-list 126 deny ip any 10.2.0.0 0.0.0.255
access-list 126 deny ip any any

I was wondering how the ACL is used, what direction of traffic does it relate to and is it constructed correctly? The subnets in the ACL are the ranges used by networks connected by VPN. As I have other nat mappings can they all share the one route map as the same indo applies to all (the VPN addresses).

Thanks

 

[unclerico]

typcially, combining static NAT with a route-map is used in scenarios where you are multihoming. a full router config might shed more light on what is going on. for a more detailed description of exactly why you'd use this type of config i'll defer to Cisco:

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_static_NAT_with_route-maps

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[steveredman]

Perhaps I've been going about this the wrong way, my goal is to have external ips/ports mapped to internal ips/ports to allow external access to servers running http, https and smtp whilst allowing machines on my network to access the internet through NAT. I also have a site to site VPN and do not want traffic destined for the remote site to get translated. Is there a better way to accomplish this?

Thanks,

Steve

 

[unclerico]

absolutely. you just use a route-map in a different spot. For example, say you have a mailserver (192.168.10.25) on the internal network and you have a public IP range of 12.12.12.8/29 on your s0/1 interface. The remote end of your L2L VPN is on 10.10.10.0/24. You would do something like this:

access-list 101 deny ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip any any

route-map NONAT permit 10
  match ip address 101

ip nat inside source route-map NONAT interface s0/1 overload

ip nat inside source static tcp 192.168.10.25 25 12.12.12.9 25

The route-map uses the ACL 101 to define what traffic should be NATed. The first line in the ACL 101 says that any traffic sourced from 192.168.10.0 destined for 10.10.10.0 don't NAT it. You'll have a crypto ACL set up defining the interesting traffic from 192.168.10.0 to 10.10.10.0 (and vice versa on the remote peer). The second line says any other traffic is ok to NAT. You'll then just use a normal Static NAT entry to permit outside SMTP access into your SMTP server.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[steveredman]

Thanks for that, so basically my static nats don't need a route map but my dynamic nat for general internet access does.

 

[unclerico]

true, true...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[steveredman]

So something like this then:-

ip nat inside source route-map NONAT interface Dialer0 overload
ip nat inside source static tcp 10.0.0.6 443 x.x.x.141 443
ip nat inside source static tcp 10.0.0.6 25 x.x.x.142 25
ip nat inside source static tcp 10.0.0.3 80 x.x.x.142 80
ip nat inside source static tcp 10.0.0.6 2525 x.x.x.142 2525
ip nat inside source static tcp 10.0.0.200 5900 x.x.x.142 5900
ip nat inside source static tcp 10.0.0.201 5900 x.x.x.142 5901
ip nat inside source static tcp 10.0.0.202 5900 x.x.x.142 5902
ip nat inside source static tcp 10.0.0.1 56912 x.x.x.142 56912
ip nat inside source static udp 10.0.0.1 56912 x.x.x.142 56912
!
logging trap debugging
logging 10.0.0.2
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.2.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 deny ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 120 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 160 permit tcp any host x.x.x.142 eq 2525
access-list 160 permit tcp any host x.x.x.142 eq smtp
access-list 160 permit tcp any host x.x.x.142 eq www
access-list 160 permit udp any host x.x.x.142 eq 56912
access-list 160 permit tcp any host x.x.x.142 eq 56912
access-list 160 permit tcp host 195.137.112.228 host x.x.x.142 range 5900 5902
access-list 160 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 160 permit ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 160 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 160 permit ahp any host x.x.x.142
access-list 160 permit esp any host x.x.x.142
access-list 160 permit udp any host x.x.x.142 eq isakmp
access-list 160 permit udp any host x.x.x.142 eq non500-isakmp
access-list 160 permit icmp any x.x.x.140 0.0.0.3
access-list 160 permit tcp any host x.x.x.141 eq 443
access-list 160 permit tcp any host x.x.x.142 eq cmd
access-list 160 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map NONAT permit 10
match ip address 100

 

[unclerico]

without seeing the rest of your configs and knowing your network topology I'm going to say yes that it looks good.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)