Problem
You want to use route maps to give finer control over your static NAT translation rules.
Solution
One of the best uses of this feature appears when you have two Internet Provider connections and you want to use distinct NAT rules for each:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface FastEthernet0/0 Router(config-if)#ip address 172.16.1.5 255.255.255.252 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 172.16.2.5 255.255.255.252 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#interface FastEthernet0/2 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config-if)#exit Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload Router(config)#route-map ISP-1 permit 10 Router(config-route-map)#match interface FastEthernet0/0 Router(config-route-map)#exit Router(config)#route-map ISP-2 permit 10 Router(config-route-map)#match interface FastEthernet0/1 Router(config-route-map)#exit Router(config)#end Router#
Discussion
This example shows a relatively common situation in which a network has two Internet connections for redundancy. Note that we don't show the redundancy mechanism here, but it could be handled by BGP, for example. There are three Fast Ethernet interfaces on this router, one for each of the two Internet Service Providers, and one for the internal network.
To understand the problem that we are looking at here, consider the standard ip nat inside source command that we used in Recipe 21.1:
Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255 Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload
This rule translates the source address in all outbound packets to the address on one of the two external connections. As long as all of the traffic uses this particular interface, there is no problem, but then there's not much point in paying for the second connection. So consider what happens to any packets that are transmitted through the second connection when this rule is used. There are two possible consequences. The Internet Service Provider might accept the source address for the wrong network and forward the packet normally, and the return path from the destination might try to use the first Internet connection, which is bad because it might be down. Or, more likely, the second Internet provider will simply drop the packet because it appears to have a spoofed source address.
Instead, by using route maps in our ip nat command, we can specify two different rules, one for each of the two service providers:
Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload
The first line specifies that any packets matching the route map ISP-1 should have their source addresses changed to match the address on FastEthernet0/0. The second line specifies that packets matching the second route map should translate to the second interface's address.
The corresponding route maps simply match on the interfaces that interfaces that the router wants to forward these packets through:
Router(config)#route-map ISP-1 permit 10 Router(config-route-map)#match interface FastEthernet0/0 Router(config-route-map)#exit Router(config)#route-map ISP-2 permit 10 Router(config-route-map)#match interface FastEthernet0/1 Router(config-route-map)#exit
See Also
Recipe 21.1
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index