Question:
This is C2901-VSEC ios 12.2. I'm attempting to discern if these two NAT statements conflict.
One appears to be a PAT and the other a one-to-one NAT for the same inside host. If that is true, would this function correctly?
The public .234 is the router interface and the public .235 is part of the outside range, but again the same inside host is used. Since the second statement looks like a one-to-one nat, then the route-map is just adding the NAT Exemption onto it?
ip nat inside source static tcp 192.168.1.18 3389 24.x.y.234 3389 extendable
ip nat inside source static 192.168.1.18 24.x.y.235 route-map static-sec extendable
route-map static-sec permit 10
match ip address 100
match interface Ethernet1/0
access-list 100 deny ip host 192.168.1.18 host 172.16.1.4
access-list 100 deny ip host 192.168.1.18 host 172.16.1.3
access-list 100 deny ip host 192.168.1.18 host 172.16.1.2
access-list 100 deny ip host 192.168.1.18 host 172.16.1.1
access-list 100 permit ip host 192.168.1.18 any
Can someone clear me up on this? Thanks.
Answer:
In my personal opinion, these two statements should not conflict.
The first statement establishes a static translation entry in the NAT table with the correspondence
192.168.1.18:3389 <---> 24.x.y.234:3389
Every time a packet appears going to IP:TCP port 24.x.y.234:3389, it will be immediately translated to 192.168.1.18:3389, and vice versa. The IOS should not go through dynamic NAT/PAT entries because the static entry for this traffic will always be present and found in the NAT table, not requiring the IOS to ever generate a dynamic mapping.
The second statement actually establishes a conditional translation entry. A translation will be performed only if the route-map conditions are both met:
the traffic must be permitted by the ACL 100, and
the traffic must be routed out the interface E1/0
You could say it is a kind of NAT Exemption, but for a different global (public) IP address.
If you configure both these statements in a router, the show ip nat translation will show you this:
R1(config)#do show ip nat tran
Pro Inside global Inside local Outside local Outside global
tcp 24.1.2.234:3389 192.168.1.18:3389 --- ---
--- 24.1.2.235 192.168.1.18 --- ---
R1(config)#
Note that both entries are prepared in the NAT tables as sorts of templates. The actual packet going through this NAT table will either find a complete entry for its source/destination IP/protocol/port, or will hit the template translation entry and a new specific record will be created for it.
My unwarranted assumption here is that always the best match is used, i.e. if the packet is TCP/192.168.1.18:3389, it will be handled by the first entry and not by the second one. In any case, you can always remove this doubts - and this is what I recommend - by having the NAT configurations explicitly apply to disjoint traffic. In your case, the ACL 100 should be prepended a line saying:
access-list 100 deny tcp host 192.168.1.18 eq 3389 any
This will make the route-map based translation to never apply to the static PAT entry. C2911-VSEC For more info, http://lilirouter.livejournal.com/7641.html
没有评论:
发表评论