[c-nsp] Pros/cons of ip nat "list" vs "route-map"

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Mon Jul 30 14:36:23 EDT 2007 

Hi,

	Recently I've gotten more into doing NAT at sites. I've noticed
that it seems that when customers use the GUI, it does something like :

ip nat inside source list 2 interface Serial0/1/0 overload
access-list 2 remark SDM_ACL Category=18
access-list 2 permit 192.168.25.0 0.0.0.255
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.75.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255


	I set up a router at my own site, using an example from another
site (Just because of dual transits, ip sla monitoring, tracking, etc)
and it used :

ip nat inside source route-map HUGHES interface Ethernet1/0 overload
ip nat inside source route-map SEABREEZE interface Ethernet0/0 overload

route-map HUGHES permit 10
 match interface Ethernet1/0
!
route-map SEABREEZE permit 10
 match interface Ethernet0/0


	Is there one that is generally "more preferred" over the other?
Are there advantages of one over the other? 

	One of the things I can't seem to do on my config is telnet
into the "ip nat outside" ports on the router. If I do, I get an entry
in the NAT table for :

Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.75.49:3    192.168.75.49:23   208.45.247.233:25922 208.45.247.233:25922

	so it looks like its being subject to NAT even though I'm trying to reach
the 192.168.75.49 locally (And yea, I can do it, since I'm trying to telnet from
a "directly attached" interface on the opposing router configured as :

interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address 192.168.75.1 255.255.255.0 secondary
 ip address 192.168.50.1 255.255.255.0 secondary
 ip address 208.45.247.233 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled

	(Though, I *WISH* it would try to telnet from the 75.1, which is in the same
subnet as my 75.49!)

			Thanks, Tuc

More information about the cisco-nsp mailing list