Sunday, January 10, 2010

CCIE-IOS-NAT

1) static NAT
a) alllow on more than one nat statement:

ip nat inside source static 136.1.128.9 136.1.19.250 extendable
ip nat inside source static 136.1.128.9 136.1.99.250 extendable

b)
 
ip nat inside source static tcp 136.1.128.9 80 interface GigabitEthernet0/1.123 8080

c)
 
access-list 100 permit ip any 136.1.19.0 0.0.0.255
access-list 150 deny ip any 136.1.19.0 0.0.0.255
access-list 150 permit ip any 136.1.0.0 0.0.255.255
access-list 190 permit ip any 150.1.0.0 0.0.255.255
route-map VLAN19_SUBNET permit 10
 match ip address 100
!
route-map ALL_SUBNET permit 10
 match ip address 150
!
route-map LOOPBACK_SUBNET permit 10
 match ip address 190
 
ip nat inside source static 150.1.9.9 136.1.99.100 route-map VLAN19_SUBNET reversible
ip nat inside source static 150.1.9.9 136.1.99.150 route-map ALL_SUBNET reversible
ip nat inside source static 150.1.9.9 136.1.99.190 route-map LOOPBACK_SUBNET reversible

Without the word ‘reversible’ it translates all traffic without checking source.

Syslog:
 
ip nat log translations syslog 

2) dynamic NAT
 
ip nat inside source [list | route map] pool POOL

when you need match traffic based on extended ACL you must use route-map, list works fine with standard ACLs.

3) PBR

local one:
 
R1:
access-list 100 permit ip any host 150.1.9.9
access-list 150 permit ip any host 150.1.3.3
!
route-map LOCAL_ROUTING permit 10
 match ip address 100
 set ip next-hop 136.1.99.2
!
route-map LOCAL_ROUTING permit 20
 match ip address 150
 set ip next-hop 136.1.128.2
!
ip local policy route-map LOCAL_ROUTING

No comments:

Post a Comment