13.20 NAT with Route Maps - Why "overload" is used?

Hi Experts,

Any idea why "overload" keyword is used under this config?
IMO, overload is not needed as the NAT is dynamic NAT one to one.

ip access-list standard SOURCE
 permit 150.1.2.2 0.0.0.0

route-map R2>S0/0 permit 10
 match ip address SOURCE
 match interface s0/0

route-map ANY>S0/0 deny 10
 match ip address SOURCE
 match interface s0/0
route-map ANY>S0/0 permit 100
 match interface s0/0

ip nat pool POOL1 155.1.23.200 155.1.23.200 prefix 24

ip nat inside source route-map R2>S0/0 pool POOL1 overload

PS: This config is exactly the same with SG's except the name of route-map and NAT pool have been changed.

Comments

  • Alex,

    For what purposes you created this route-map?

    route-map ANY>S0/0 deny 10
     match ip address SOURCE
     match interface s0/0
    route-map ANY>S0/0 permit 100
     match interface s0/0

    If there is one to one translation, we don't need overload option,  overload allows multiple inside devices to be translated to the same valid IP address.

     

     

    route-map ANY>S0/0 deny 10
     match ip address SOURCE
     match interface s0/0
    route-map ANY>S0/0 permit 100
     match interface s0/0
  • If there is one to one translation, we don't need overload option,  overload allows multiple inside devices to be translated to the same valid IP address.
    I have the same opinion with as I stated in my original post. However SG uses overload keyword in a dynamic one to one mapping NAT. I am just looking out if I have been missing something and that there is another function of "overload" keyword in this config.

    For what purposes you created this route-map?
    The route-map is used to match traffic other than R2's loopback which will be PATed to interface S0/0 IP.
    *The solution that I provided above is exactly the same with SG's except the name of route-map and NAT pool.
  • Hi Alexander,

       "Overload" keyword is needed, reason following. You need to NAT traffic to different IP addreses based on source-destination traffic pair. If you do not use the "overload" option, a simple NAT entry will be created (contains only inside local and inside global in your case, for the outside local and outside global you'll have dashes). This means that once a NAT entry is created in the NAT table, regardless of the traffic destination, traffic from that source will always match on that NAT entry, and it will not get NAT'ed to another IP, thus your policy will not be satisifed (i hope i made myself clear).

      IF you use the "overload" option with ACL or route-map, an extended NAT entry will be created (contains both inside and outside entries in NAT table). Why would you use route-map instead of ACL? Cause it gives you more matching options than ACL.

    Good luck with your studies!

  • The overload keyword is only needed when you are doing a many to one mapping. Now the question is a little confusing, but it DOES say that the loopback NETWORK should get natd as 155.1.23.200, so technically the overload keyword is required, but since we only have a single interface with an address in that network (150.1.2.2) it will work with or without the overload keyword.

     

    ip access-list standard LOOP
     permit 150.1.2.0 0.0.0.255

    ip nat pool R2-R3 155.1.23.200 155.1.23.200 netmask 255.255.255.0

    route-map R2-R3 permit 10
     match ip address LOOP
     match interface Serial0/1

    ip nat inside source route-map R2-R3 pool R2-R3 overload (works without this, but what if we had other hosts in 150.1.2.0/24 - Yes, I know its a loopback! )

  • This means that once a NAT entry is created in the NAT table, regardless of the traffic destination, traffic from that source will always match on that NAT entry, and it will not get NAT'ed to another IP, thus your policy will not be satisifed

    Christian, but the NAT IP that will be used by the source address depends on which interface that it uses to exit right?
    For example, config below. SOURCE will be NATed to POOL1 IP if it goes out interface S0/0 and will be NATed to POOL2 IP if it goes out interface S0/1 right?

    route-map R2>S0/0 permit 10
    match ip address SOURCE
    match interface s0/0

    route-map R2>S0/1 permit 10
    match ip address SOURCE
    match interface s0/1

    ip nat inside source route-map R2>S0/0 pool POOL1
    ip nat inside source route-map R2>S0/1 pool POOL2

  • Hi Alexander,

       Please read my post and test. If you do not have the "overload" keyword, a simple NAT entry will be created, you need an extended NAT entry. Look at the route-map to something that gives you more options than using ACL (extended ACL, cause standard ACL willl result again in simple NAT entry), BUT you still need the overload keyword.

    Good luck with your studies!

  • Hello cristian.matei,

    I don't agree with your overload explanation:

    See here by example: I have three hosts belonging to inside with IP 1.1.1.1/32, 1.1.1.2/32 and 1.1.1.3/32

    This is my configuration without overload

    R1#show running-config | in ip nat
     ip nat inside
     ip nat inside
     ip nat inside
     ip nat outside
    ip nat pool POOL1 12.12.12.1 12.12.12.1 prefix-length 24
    ip nat inside source route-map NAT pool POOL1

    I have inside local, inside global, outside local and outside global entry into NAT table:

    R1#ping 12.12.12.2 so lo2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.3
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 88/101/128 ms
    R1#ping 12.12.12.2 so lo1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.2
    .....
    Success rate is 0 percent (0/5)
    R1#show ip nat trans
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 12.12.12.1:19     1.1.1.3:19         12.12.12.2:19      12.12.12.2:19

    Only thing is I couldn't ping from other inside host because there is no overlaod option.When I cleared my current NAT table I can ping from another inside host:

    R1#clear ip nat translation *
    R1#ping 12.12.12.2 so lo1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.2
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 64/120/180 ms

    Now Let's look with "overload" option:

    R1(config)#no ip nat inside source route-map NAT pool POOL1

    Dynamic mapping in use, do you want to delete all entries? [no]: yes
    R1(config)#ip nat inside source route-map NAT pool POOL1 overload

    !

    R1#ping 12.12.12.2 so lo0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 48/89/176 ms
    R1#ping 12.12.12.2 so lo2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.12.12.2, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.3
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 68/94/128 ms
    R1#show ip nat tra
    R1#show ip nat translations
    Pro Inside global      Inside local       Outside local      Outside global
    icmp 12.12.12.1:23     1.1.1.1:23         12.12.12.2:23      12.12.12.2:23
    icmp 12.12.12.1:22     1.1.1.2:22         12.12.12.2:22      12.12.12.2:22
    icmp 12.12.12.1:24     1.1.1.3:24         12.12.12.2:24      12.12.12.2:24

    So I believe there is no different in NAT table with or without overlaod option, only thing is when we need to translate more host on single IP, we need olverlaod option!

    Guys correct me if I am wrong.

     

     

    Hi Alexander,

       "Overload" keyword is needed, reason following. You need to NAT traffic to different IP addreses based on source-destination traffic pair. If you do not use the "overload" option, a simple NAT entry will be created (contains only inside local and inside global in your case, for the outside local and outside global you'll have dashes). This means that once a NAT entry is created in the NAT table, regardless of the traffic destination, traffic from that source will always match on that NAT entry, and it will not get NAT'ed to another IP, thus your policy will not be satisifed (i hope i made myself clear).

      IF you use the "overload" option with ACL or route-map, an extended NAT entry will be created (contains both inside and outside entries in NAT table). Why would you use route-map instead of ACL? Cause it gives you more matching options than ACL.

    Good luck with your studies!

     

  • So I believe there is no different in NAT table with or without overlaod option, only thing is when we need to translate more host on single IP, we need olverlaod option!

    This is the concept that I have in mind. That's why I put up this question in this forum.
    And Christian said that we still need overload keword for this task.
    But from your test, I agree with you that there is no difference between using or not using overload keyword for one-to-one dynamic NATing.

    What do you say Christian?

  • Hi all,

       By the task requirements, you can use the NAT configuration without the "overload" keyword when using pool(cause you have indeed one-to-one mapping), however you need to add "overload" when you use the IP address of the interface and this is a general rule (it makes sense cause without overload, it means once you NAT traffic, the router will not be able to process traffic destined to itself because of the dynamic one-to-one mapping).

       What i was trying to point out and what in my opinion this task was scoped for (except the solely use of route-maps with NAT) but failed because of task requirements (it should have used same source but different destination) is the ability to configure policy NAT. For fast reference check out these 2 documents:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

    Good luck with your studies!

  • By the task requirements, you can use the NAT configuration without the "overload" keyword when using pool(cause you have indeed one-to-one mapping), however you need to add "overload" when you use the IP address of the interface and this is a general rule (it makes sense cause without overload, it means once you NAT traffic, the router will not be able to process traffic destined to itself because of the dynamic one-to-one mapping).

    Agree on this. Thank you for your reply.

     

  • Hello Cristian,

    My intension was to clear your this statement only: rest is okey.

    If you do not use the "overload" option, a simple NAT entry will be
    created (contains only inside local and inside global in your case, for
    the outside local and outside global you'll have dashes). This means
    that once a NAT entry is created in the NAT table, regardless of the
    traffic destination, traffic from that source will always match on that
    NAT entry, and it will not get NAT'ed to another IP, thus your policy
    will not be satisifed (i hope i made myself clear).

    HAPPY STUDY

    [:D]

    Hi all,

       By the task requirements, you can use the NAT configuration without the "overload" keyword when using pool(cause you have indeed one-to-one mapping), however you need to add "overload" when you use the IP address of the interface and this is a general rule (it makes sense cause without over clload, it means once you NAT traffic, the router will not be able to process traffic destined to itself because of the dynamic one-to-one mapping).

       What i was trying to point out and what in my opinion this task was scoped for (except the solely use of route-maps with NAT) but failed because of task requirements (it should have used same source but different destination) is the ability to configure policy NAT. For fast reference check out these 2 documents:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

    http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

    Good luck with your studies!

     

  • Hi nnn,

       I keep my statement, but you can notice it with using same source but different destination.

    Good luck with your studies!

  • ip access-list standard SOURCE
     permit 150.1.2.2 0.0.0.0

    route-map R2>S0/0 permit 10
     match ip address SOURCE
     match interface s0/0

    route-map ANY>S0/0 deny 10
     match ip address SOURCE
     match interface s0/0
    route-map ANY>S0/0 permit 100
     match interface s0/0

    Why do we need to match this interface here? It works without this match.

    ip nat inside source route-map R2>S0/0 pool POOL1 overload

    Certainly this overload is not necessary here.

     

  • Why do we need to match this interface here? It works without this match.

     

     


    This make the NATing happens only if the traffic from the source that we want and exiting the interface that we set. Hence, it's conditional NAT.

  • route-map NAT_OUT_PPP_NOT_FROM_LOOPBACK deny 10

    match ip address FROM_LOOPBACK

    match interface serial0/1

    Do we really need to match on interface here? Shouldn't it be enough to know that the source is the loopback?

    Also, why don't we need to define inside interface. Is this because we are using route-map?

  • Hi Daniel

    You are right, there is no need to match this interface in this particular task, I think this is being added for preciseness. The same question was raised by me in the this post previously.

    Without defining INSIDE interfaces will only work with traffic originated from the router R2 because of route-map matching however if we try to originate traffic from hosts behind R2, NAT will not work so its always better to define inside or outside interfaces.  

  • Thanks,

    Probably better to just always add inside and outside. Makes the concepts a bit more clear.

  • guys,

    While not directly related to the workbook exercise, I stumbled upon this config while reading up different material in relation to NAT with route maps and overload. Does this make sense (notice both nat statements have the same source and destination interface)


    interface FastEthernet0/0
     description Local LAN
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
    !
    interface FastEthernet0/1
     description to ISP A
     ip address 195.168.1.2 255.255.255.252
     ip nat outside
    !
    interface FastEthernet0/2
     description to ISP B
     ip address 195.168.2.2 255.255.255.252
     ip nat outside
    !
    ip nat inside source route-map ISP_A interface FastEthernet0/1 overload
    ip nat inside source route-map ISP_B interface FastEthernet0/2 overload

    !
    route-map ISP_A permit 10
     match interface FastEthernet0/1
    !
    route-map ISP_B permit 10
     match interface FastEthernet0/2
  • Separate question but i'm going to go ahead and use this pre-made thread. That way everyone in this thread will get my question[:P]

     

    Question1 : I dont see IP NAT inside defined anywhere in this task.

    So my thoughts are :

    Since all the testing done is from interfaces that are local to the router it is not required?

    For extendable entries where an Inside local can be translated to more than 1 inside global, "inside" really depends on the direction of the flow of traffic ...?  (therefore its not defined)

    Question2: Are the Deny Route-maps really needed? 

    Any clarification as always is much appreciated.

    <edit> just a note : I always configure NAT pools as per following;

    ip nat pool FRAME_RELAY_LOOPBACK_POOL  prefix-length 24

    address 150.1.2.200 150.1.2.200

    This way it always stays fresh in my head that there is an option here for configuring discontiguous pools.

    <this makes me feel like i contributed some since recently i've just been asking and not answering much>

     

    Tox!

     

  • Question1 : I dont see IP NAT inside defined anywhere in this task.

    It is because we are using NAT with route-map, there is a matching interface statement in the route-map. Hence, IP NAT inside is not required.  

    Question2: Are the Deny Route-maps really needed? 

    The deny route-map is required so that the route-map won't match traffic from loopback interface.

    Taken from my note:


    Config R2 ith route-map based NAT to support multiple outside interfaces

    -Traffic frm 150.1.2.2 going out S0/0 should be translated to 155.1.23.200

    -All other traffic going out S0/0 should be translated to the interface IP address


    int s0/0

     ip nat outside *no need to define "ip nat inside"


    ip nat pool 155_200 155.1.23.200 155.1.23.200 prefix 24



    ip access-list standard SOURCE

     permit 150.1.2.2 0.0.0.0


    route-map LO0>S0/0 permit 10

     match ip address SOURCE

     match interface s0/0


    route-map ANY>S0/0 deny 10

     match ip address SOURCE

     match interface s0/0

    route-map ANY>S0/0 permit 100

     match interface s0/0


    ip nat inside source route-map LO0>S0/0 pool 155_200 overload

    ip nat inside source route-map ANY>S0/0 int s0/0 overload


  • Thanks Alex : I see what you mean. Once you answered I tried other logic to get rid of the deny statement but each time I kept coming up with a "flaw" in my logic.

     

     

    Thankyou for the clarification :)

     

     

    Tox!

     

     

Sign In or Register to comment.