[c-nsp] Pros/cons of ip nat "list" vs "route-map"

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Mon Jul 30 16:11:52 EDT 2007 

Hi Steve,

	Alot of what I put was for "example" purposes only. I was mainly trying to find the 
pros/cons of the "list X" versus "route-map Y" in the "ip nat inside source" statement. I
wandered a little bringing up my issue.

       BUT, if it maybe helps make things clearer....


PERIAUGER-Gig0/0========C3640-E0/0
HUGHES==================C3640-E1/0
                    E0/1|    |E1/1
                        |    | 
                        |2924|
                         | | 
			(machines)


	Periauger is a clients router where he originally used the SDM/web to set his
router up. His interface is the Gig0/0 I have below, a public IP as the main, and 
privates as the secondaries. I followed another guide so I could do tracking of the
connectivity with PERIAUGER and HUGHES and decide which path I want to go out on.
The example I took on it for my E0/0 and E1/0 used "ip nat inside source route-map Y"
(The original I took from was http://www.nil.si/ipcorner/SmallSiteMultiHoming).

	The *MAIN* question is what were the pro's/con's of doing the "list X" over
"route-map Y".

	But, to confuse things, I was saying that I had an issue telneting to my 3640
from PERIAUGER. Even though a secondary on PERIAUGER is in the same subnet as my 
3640, it still used the primary IP to do the telnet request. However, I can't telnet
to the 3640. When I check the "sho ip nat trans" table, I saw what looked like it
trying to NAT the request inbound. I was thinking this happens BECAUSE I use the route-map
to ethernet interfaces approach. PERIAUGER doesn't seem to suffer from this because 
it looks like since he is only NATing very specific set of IP's, so it lets it through.
I wanted some confirmation that this was happening, or maybe some trick to either get
PERIAUGER to telnet from its IP assigned in the same subnet, which I hope wouldn't cause
a NAT to attempt to occur. (I might be wrong, I've never tried this before)

			Thanks, Tuc

> 
> Hi Tuc,
>  can you provide a basic diagram, I'm confused reading the below. Also, what outside nat translations do you have that you are referring to....
> 
> Steve
> 
> On Mon, Jul 30, 2007 at 02:36:23PM -0400, Tuc at T-B-O-H.NET wrote:
> > Hi,
> > 
> > 	Recently I've gotten more into doing NAT at sites. I've noticed
> > that it seems that when customers use the GUI, it does something like :
> > 
> > ip nat inside source list 2 interface Serial0/1/0 overload
> > access-list 2 remark SDM_ACL Category=18
> > access-list 2 permit 192.168.25.0 0.0.0.255
> > access-list 2 permit 192.168.50.0 0.0.0.255
> > access-list 2 permit 192.168.75.0 0.0.0.255
> > access-list 2 permit 10.0.0.0 0.0.0.255
> > 
> > 
> > 	I set up a router at my own site, using an example from another
> > site (Just because of dual transits, ip sla monitoring, tracking, etc)
> > and it used :
> > 
> > ip nat inside source route-map HUGHES interface Ethernet1/0 overload
> > ip nat inside source route-map SEABREEZE interface Ethernet0/0 overload
> > 
> > route-map HUGHES permit 10
> >  match interface Ethernet1/0
> > !
> > route-map SEABREEZE permit 10
> >  match interface Ethernet0/0
> > 
> > 
> > 	Is there one that is generally "more preferred" over the other?
> > Are there advantages of one over the other? 
> > 
> > 	One of the things I can't seem to do on my config is telnet
> > into the "ip nat outside" ports on the router. If I do, I get an entry
> > in the NAT table for :
> > 
> > Pro Inside global      Inside local       Outside local      Outside global
> > tcp 192.168.75.49:3    192.168.75.49:23   208.45.247.233:25922 208.45.247.233:25922
> > 
> > 	so it looks like its being subject to NAT even though I'm trying to reach
> > the 192.168.75.49 locally (And yea, I can do it, since I'm trying to telnet from
> > a "directly attached" interface on the opposing router configured as :
> > 
> > interface GigabitEthernet0/0
> >  description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
> >  ip address 10.0.0.1 255.255.255.0 secondary
> >  ip address 192.168.75.1 255.255.255.0 secondary
> >  ip address 192.168.50.1 255.255.255.0 secondary
> >  ip address 208.45.247.233 255.255.255.248
> >  no ip redirects
> >  no ip unreachables
> >  no ip proxy-arp
> >  ip nat inside
> >  ip virtual-reassembly
> >  ip route-cache flow
> >  duplex auto
> >  speed auto
> >  no mop enabled
> > 
> > 	(Though, I *WISH* it would try to telnet from the 75.1, which is in the same
> > subnet as my 75.49!)
> > 
> > 			Thanks, Tuc
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list