Using Route Maps to Refine Static Translation Rules

Using Route Maps to Refine Static Translation Rules

Problem

You want to use route maps to give finer control over your static NAT translation rules.

Solution

One of the best uses of this feature appears when you have two Internet Provider connections and you want to use distinct NAT rules for each:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.1.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#ip address 172.16.2.5 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthernet0/2
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload
Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload
Router(config)#route-map ISP-1 permit 10
Router(config-route-map)#match interface FastEthernet0/0
Router(config-route-map)#exit
Router(config)#route-map ISP-2 permit 10
Router(config-route-map)#match interface FastEthernet0/1
Router(config-route-map)#exit
Router(config)#end
Router#

Discussion

This example shows a relatively common situation in which a network has two Internet connections for redundancy. Note that we don't show the redundancy mechanism here, but it could be handled by BGP, for example. There are three Fast Ethernet interfaces on this router, one for each of the two Internet Service Providers, and one for the internal network.

To understand the problem that we are looking at here, consider the standard ip nat inside source command that we used in Recipe 21.1:

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255
Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload

This rule translates the source address in all outbound packets to the address on one of the two external connections. As long as all of the traffic uses this particular interface, there is no problem, but then there's not much point in paying for the second connection. So consider what happens to any packets that are transmitted through the second connection when this rule is used. There are two possible consequences. The Internet Service Provider might accept the source address for the wrong network and forward the packet normally, and the return path from the destination might try to use the first Internet connection, which is bad because it might be down. Or, more likely, the second Internet provider will simply drop the packet because it appears to have a spoofed source address.

Instead, by using route maps in our ip nat command, we can specify two different rules, one for each of the two service providers:

Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload
Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload

The first line specifies that any packets matching the route map ISP-1 should have their source addresses changed to match the address on FastEthernet0/0. The second line specifies that packets matching the second route map should translate to the second interface's address.

The corresponding route maps simply match on the interfaces that interfaces that the router wants to forward these packets through:

Router(config)#route-map ISP-1 permit 10
Router(config-route-map)#match interface FastEthernet0/0
Router(config-route-map)#exit
Router(config)#route-map ISP-2 permit 10
Router(config-route-map)#match interface FastEthernet0/1
Router(config-route-map)#exit

See Also