Policy based routing with NAT

By: Sajid Ali Pathan

Static NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same inside local address needs to be translated to more than one inside global addresses, depending on where the traffic is destined.

But, how NAT works with Route-map?  If we need to configure source-base NAT where each inside local address needs to be translated to different inside global address of a different ISP.

Also, if there is a Remote Server where no need to NAT inside addresses:

Let refer to the below diagram.  Two links of two different ISPs terminated on same router and each for a different Host. Also there is a Remote Server where no need to NAT to access that Server. 

Main_RTR

! ! ! interface FastEthernet0/1  description *** REMOTE_RTR ***  ip address 172.16.16.2 255.255.255.252  speed auto  duplex full ! interface FastEthernet1/0  description *** CLIENT_1 ***  ip address 172.16.16.5 255.255.255.252  ip nat inside  ip policy route-map Policy_NAT  speed auto  duplex full ! interface FastEthernet1/1  description *** TO ISP_1 ***  ip address 100.2.2.2 255.255.255.252  ip nat outside  speed auto  duplex full ! interface FastEthernet2/0  description *** CLIENT_2 ***  ip address 172.16.16.9 255.255.255.252  ip nat inside  ip policy route-map Policy_NAT  speed auto  duplex full ! interface FastEthernet2/1  description *** ISP_2 ***  ip address 150.2.2.2 255.255.255.252  ip nat outside  speed auto  duplex full ! ip nat inside source static 172.16.16.6 100.2.2.2 ip nat inside source static 172.16.16.10 150.2.2.2 ! access-list 20 permit 172.16.16.6 access-list 30 permit 172.16.16.10 access-list 101 permit ip any 10.1.1.0 0.0.0.255 ! route-map Policy_NAT permit 10  match ip address 101  set ip next-hop 172.16.16.1 ! route-map Policy_NAT permit 20  match ip address 20  set ip next-hop 100.2.2.1 ! route-map Policy_NAT permit 30  match ip address 30  set ip next-hop 150.2.2.1 ! !

A single route-map solve all problems, Sequence 10 of route-map setting next hope via matching destination IP Address, in this case a Remote Server, where no need to NAT inside addresses.

Sequence 20 and 30 are for Policy Base Routing with NAT, specific inside local address translated to specific inside global address and routed to its next-hope of specified ISP.

Remote_RTR

! ! ! interface FastEthernet0/0  description *** SERVER ***  ip address 10.1.1.1 255.255.255.0  speed auto  duplex auto ! interface FastEthernet0/1  description *** MAIN_RTR ***  ip address 172.16.16.1 255.255.255.252  speed auto  duplex auto ! ! ip route 172.16.16.0 255.255.255.0 FastEthernet0/1 !

Remote_RTR have not much configuration, only connected interfaces and static route pointing to 172.16.16.0/24 Network.

Client 1 (172.16.16.6)

C:\>ping 10.1.1.12 (Remote Server IP)

Pinging 10.1.1.12 with 32 bytes of data:

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Ping statistics for 10.1.1.12:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:

Reply from 4.2.2.2: bytes=32 time=139ms TTL=56

Reply from 4.2.2.2: bytes=32 time=157ms TTL=56

Reply from 4.2.2.2: bytes=32 time=148ms TTL=56

Reply from 4.2.2.2: bytes=32 time=158ms TTL=56

Ping statistics for 4.2.2.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 139ms, Maximum = 158ms, Average = 150ms

C:\>

Cleint 2 (172.16.16.10)

C:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Reply from 8.8.8.8: bytes=32 time=18ms TTL=58

Reply from 8.8.8.8: bytes=32 time=19ms TTL=58

Reply from 8.8.8.8: bytes=32 time=18ms TTL=58

Reply from 8.8.8.8: bytes=32 time=18ms TTL=58

Ping statistics for 8.8.8.8:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 18ms, Maximum = 19ms, Average = 18ms

C:\>ping 10.1.1.12 (Remote Server IP)

Pinging 10.1.1.12 with 32 bytes of data:

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Reply from 10.1.1.12: bytes=32 time<1ms TTL=127

Ping statistics for 10.1.1.12:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Here is the output of Main_RTR. Matches of route-map, NAT translation and debugging shows that traffic destined as per configured policy base routing:

Main_RTR#sh route-map

route-map Policy_NAT, permit, sequence 10

  Match clauses:

    ip address (access-lists): 101

  Set clauses:

    ip next-hop 172.16.16.1

  Policy routing matches: 34 packets, 3390 bytes

route-map Policy_NAT, permit, sequence 20

  Match clauses:

    ip address (access-lists): 20

  Set clauses:

    ip next-hop 100.2.2.1

  Policy routing matches: 51 packets, 5490 bytes

route-map Policy_NAT, permit, sequence 30

  Match clauses:

    ip address (access-lists): 30

  Set clauses:

    ip next-hop 150.2.2.1

  Policy routing matches: 56 packets, 4752 bytes

Main_RTR#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

udp 100.2.2.2:49157    172.16.16.6:49157  4.2.2.2:33437      4.2.2.2:33437

udp 100.2.2.2:49157    172.16.16.6:49157  100.2.2.1:33437    100.2.2.1:33437

udp 100.2.2.2:49158    172.16.16.6:49158  4.2.2.2:33438      4.2.2.2:33438

udp 100.2.2.2:49158    172.16.16.6:49158  100.2.2.1:33438    100.2.2.1:33438

udp 100.2.2.2:49159    172.16.16.6:49159  4.2.2.2:33439      4.2.2.2:33439

udp 100.2.2.2:49159    172.16.16.6:49159  100.2.2.1:33439    100.2.2.1:33439

--- 100.2.2.2          172.16.16.6        ---                ---

icmp 150.2.2.2:4       172.16.16.10:4     8.8.8.8:4          8.8.8.8:4

udp 150.2.2.2:49170    172.16.16.10:49170 8.8.8.8:33450      8.8.8.8:33450

udp 150.2.2.2:49170    172.16.16.10:49170 150.2.2.1:33450    150.2.2.1:33450

udp 150.2.2.2:49171    172.16.16.10:49171 8.8.8.8:33451      8.8.8.8:33451

udp 150.2.2.2:49171    172.16.16.10:49171 150.2.2.1:33451    150.2.2.1:33451

--- 150.2.2.2          172.16.16.10       ---                ---

Main_RTR# debug ip nat detailed

*Jun  5 13:28:25.951: NAT*: i: udp (172.16.16.10, 49158) -> (8.8.8.8, 33438) [18]

*Jun  5 13:28:25.955: NAT*: s=172.16.16.10->150.2.2.2, d=8.8.8.8 [18]

*Jun  5 13:28:25.979: NAT: o: icmp (150.2.2.1, 33438) -> (150.2.2.2, 49158) [5]    

*Jun  5 13:28:25.983: NAT: s=150.2.2.1, d=150.2.2.2->172.16.16.10 [5]

*Jun  5 13:28:26.011: NAT*: i: udp (172.16.16.10, 49159) -> (8.8.8.8, 33439) [19]

*Jun  5 13:28:26.011: NAT*: s=172.16.16.10->150.2.2.2, d=8.8.8.8 [19]

Main_RTR#

*Jun  5 13:12:20.035: NAT*: i: udp (172.16.16.6, 49173) -> (4.2.2.2, 33439) [17]

*Jun  5 13:12:20.039: NAT*: s=172.16.16.6->100.2.2.2, d=4.2.2.2 [17]

*Jun  5 13:12:20.067: NAT: o: icmp (100.2.2.1, 33439) -> (100.2.2.2, 49173) [7]    

*Jun  5 13:12:20.071: NAT: s=100.2.2.1, d=100.2.2.2->172.16.16.6 [7]