HOW TO SECURE YOUR CISCO ROUTER USING CISCO AUTOSECURE FEATURE

In today’s complex network environments securing your network routers can be a daunting task, especially when there are so many CLI commands and parameters with different security implications for your Cisco router device.

Thankfully, since Cisco IOS version 12.3 and later, Cisco provides an easy way for administrators to lock down their Cisco router without entering complex commands and parameters.  This feature was smartly introduced to help remove the complexity of the task and ensure the lock-down is performed according to Cisco’s best security practices.

The Cisco AutoSecure feature is available to all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.

To maximize flexibility the Cisco AutoSecure command supports two different modes depending on your needs and flexibility required:

AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.

AutoSecure Non-Interactive Mode:  Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings (Cisco’s best security practices).

The Cisco AutoSecure Interactive mode provides greater control over security-related features than the non-interactive mode. However, when an administrator needs to quickly secure a router without much human intervention, the non-interactive mode is appropriate.

We’ll examine the practical difference between the two commands soon. For now, let’s take a look at the functions Cisco AutoSecureperforms:

1. Disables the following Global Services:

• Finger
• PAD
• Small Servers
• Bootp
• HTTP service
• Identification Service
• CDP
• NTP
• Source Routing

2. Enables the following Global Services:

• Password-encryption service
• Tuning of scheduler interval/allocation
• TCP synwait-time
• TCP-keepalives-in and tcp-kepalives-out
• SPD configuration
• No ip unreachables for null 0

3. Disables the following services per interface:

• ICMP
• Proxy-Arp
• Directed Broadcast
• Disables MOP service
• Disables icmp unreachables
• Disables icmp mask reply messages.

4. Provides logging for security:

• Enables sequence numbers & timestamp
• Provides a console log
• Sets log buffered size
• Provides an interactive dialogue to configure the logging server ip address.

5. Secures access to the router:

• Checks for a banner and provides facility to add text to automatically configure:
• Login and password
• Transport input & output
• Exec-timeout
• Local AAA
• SSH timeout and ssh authentication-retries to minimum number
• Enable only SSH and SCP for access and file transfer to/from the router
• Disables SNMP If not being used

6. Secures the Forwarding Plane:

• Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
• Anti-spoofing
• Blocks all IANA reserved IP address blocks
• Blocks private address blocks if customer desires
• Installs a default route to NULL 0, if a default route is not being used
• Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
• Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
• Enables NetFlow on software forwarding platforms

It is clear that the Cisco AutoSecure does a lot more than execute a couple of commands.

CONFIGURING CISCO AUTOSECURE INTERACTIVE MODE

This happens to be the recommended mode for securing your Cisco router. When using the Cisco AutoSecure Interactive Mode, the router will prompt a number of questions regarding the current topology, how it is connected to the Internet, which interface connects to the Internet and so on.  Providing this information is essential because it will be used by AutoSecure to lock-down the router and disable services as required by Cisco’s best security practices.

Below is the command required to initiate the AutoSecure Interactive mode feature. You can abort the session anytime by pressing Ctrl-C, or press ? to get help:

R1# auto secure            

                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.

At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes

Enter the number of interfaces facing the internet [1]: 1

Interface                  IP-Address      OK?     Method    Status    Protocol

FastEthernet0/0         10.0.0.100      YES     NVRAM       up          up     

FastEthernet0/1      192.168.151.10  YES     NVRAM       up          up      

  NVI0                       10.0.0.100      YES      unset        up          up    

 Enter the interface name that is facing the internet: FastEthernet0/1

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configure NTP Authentication? [yes]: no

Enter the new enable password: *****
% Invalid Password length - must contain 6 to 25 characters. Password configuration failed
Enter the new enable password: **********
Confirm the enable password:    **********

Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 15
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 20
Configure SSH server? [yes]: no

Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 11584B5643475D
aaa new-model
aaa authentication login local_auth local

line con 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet

line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet

line vty 0 15
 login authentication local_auth
 transport input telnet

line tty 1
 login authentication local_auth
 exec-timeout 15 0

login block-for 15 attempts 3 within 20
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered

interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled

interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
access-list 101 permit udp any any eq bootpc

interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default 101
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny ip any any

interface FastEthernet0/1
 ip inspect autosec_inspect out
 ip access-group autosec_firewall_acl in
!
end

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

Notice the router rejected the initial enable password as it did not conform to the password security requirements

If at any point you would like to check the configuration changes made by the Cisco AutoSecure feature before saving them, you can use the show auto secure config command:

R1# show auto secure config 

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

security passwords min-length 6

security authentication failure rate 10 log

enable password 7 11584B5643475D

aaa new-model

aaa authentication login local_auth local

line con 0

 login authentication local_auth

 exec-timeout 5 0

 transport output telnet

line aux 0

 login authentication local_auth

 exec-timeout 10 0

 transport output telnet

line vty 0 15

 login authentication local_auth

 transport input telnet

line tty 1

 login authentication local_auth

 exec-timeout 15 0

login block-for 15 attempts 3 within 20

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

 no ip redirects

 no ip proxy-arp

 no ip unreachables

 no ip directed-broadcast

 no ip mask-reply

 no mop enabled

!

interface FastEthernet0/1

 no ip redirects

 no ip proxy-arp

 no ip unreachables

 no ip directed-broadcast

 no ip mask-reply

 no mop enabled

!

access-list 101 permit udp any any eq bootpc

interface FastEthernet0/1

 ip verify unicast source reachable-via rx allow-default 101

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl

 permit udp any any eq bootpc

 deny ip any any

interface FastEthernet0/1

 ip inspect autosec_inspect out

 ip access-group autosec_firewall_acl in

R1#

CONFIGURING CISCO AUTOSECURE NON-INTERACTIVE MODE

The Non-interactive mode of Cisco’s AutoSecure is more of an ‘express’ setup feature, bypassing any user input and quickly securing the router using Cisco’s best security practices.  Think of it as a quick-and-dirty lockdown mode!

Running the Non-Interactive AutoSecure mode is done by entering the auto secure no-interact command as shown below. The router will display some information and continue configuring itself:

R1# auto secure no-interact
Below is the expected output once the auto secure non-interactive command is executed:

                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...


This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
!
end

Applying the config generated to running-config

R1#

EXPLORING OTHER CISCO AUTOSECURE OPTIONS

For those who like to explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark ? as shown below:

R1# auto secure ?
  firewall           AutoSecure Firewall
  forwarding      Secure Forwarding Plane
  full                 Interactive full session of AutoSecure
  login              AutoSecure Login
  management  Secure Management Plane
  no-interact     Non-interactive session of AutoSecure
  ntp                AutoSecure NTP
  ssh                AutoSecure SSH
  tcp-intercept  AutoSecure TCP Intercept
 

Trying out different parameters and options will help gain a greater understanding of how AutoSecure works and the options it provides to help best secure your network.

Using the Cisco AutoSecure feature to secure your router(s) is a very simple task and one that should not be neglected, even by experienced network engineers. With the use of such features, one can create a configuration template with all necessary basic security measures taken into account.

Cisco provides a number of features that can help make an engineer’s every-day life more secure and hassle-free. It’s to our advantage to make the best of everything offered!

How to configure a GRE tunnel

Introduction:

Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

The below diagram shows encapsulation process of GRE packet as it traversers the router and enters the tunnel interface:

Configuring GRE Tunnel:

Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface.

To configure the tunnel source and destination, issue the tunnel source {ip-address | interface-type} and tunnel destination {host-name | ip-address} commands under the interface configuration mode for the tunnel.

The below example explain about how to create simple GRE tunnels between endpoints and the necessary steps to create and verify the GRE tunnel between the two networks.R1's and R2's Internal subnets(192.168.1.0/24 and 192.168.2.0/24) are  communicating with each other using GRE tunnel over internet.Both Tunnel interfaces are part of the 172.16.1.0/24 network.

First step is to create our tunnel interface on R1 and R2 :

R1	R2
R1(config)# interface Tunnel1 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# ip mtu 1400 R1(config-if)# ip tcp adjust-mss 1360 R1(config-if)# tunnel source 1.1.1.1 R1(config-if)# tunnel destination 2.2.2.2	R2(config)# interface Tunnel1 R2(config-if)# ip address 172.16.1.2 255.255.255.0 R2(config-if)# ip mtu 1400 R2(config-if)# ip tcp adjust-mss 1360 R2(config-if)# tunnel source 2.2.2.2 R2(config-if)# tunnel destination 1.1.1.1

Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to account for the extra overhead. A setting of 1400 is a common practice and will ensure unnecessary packet fragmentation is kept to a minimum.

After configuring tunnel,two tunnel endpoints can see each other can verify using an icmp echo from one end.

R1# ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Workstations on either network will still not be able to reach the other side unless a routing is configure on each router.Here We will configure static route on both router.

R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2

R2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1

Now both networks (192.168.1.0/24 and 192.168.2.0/24) are able to freely communicate with each other over the GRE Tunnel .

What happened, when router receives packet?

What happened, when router receives packet?

Upon receiving the Packet, router has to follow three generic steps before its routes the packets:

-> Routing

-> Forwarding (Switching)

-> Encapsulation

Let’s discuss each one of them in detail

Routing Process: Routing process is nothing but routers control plane. Router records a routing table listing what route should be used to forward a data packet, and through which physical interface connection. Router learns your network routes information either by static configuration or by using dynamically configure routing protocol like IGP (OSPF, EIGRP, RIP, IS-IS) or though Exterior routing protocol like BGP.

When router receives any packet it has to remove Layer 2 header information present on packet(Example:In Ethernet, source and destination Mac address present on L2 header). Once router remove L2 information it looks for Layer 3 information available on packet that is source and destination IP address.

For moving L3 packet between interfaces, router checks destination address and finds longest-prefix match in IP routing table to find outgoing interface. In IPv4 router uses longest mask to identify best routing entry for forwarding packet.

Example: Let’s assume we have configured 3 different static routes with different subnet mask.

Sh ip route 1.1.1.1

ip route 1.1.1.0 255.255.255.0 fa0/2

ip route 1.1.0.0 255.255.0.0 fa0/1

ip route 1.0.0.0 255.0.0.0 fa0/0

In above example when router does route lookup for destination address 1.1.1.1 out of 3 entries router will choose longest-prefix length match entry i.e. 1.1.1.0/24 , because destination address has most common bits matches with selected route and will forward packet out fa0/2.

Destination prefix	Binary Splitting
1.1.1.1	00000001 00000001 00000001 00000001
1St Entry 1.1.1.0/24	00000001 00000001 00000001 00000000
2nd Entry 1.1.0.0/16	00000001 00000001 00000000 00000000
3rd Entry 1.0.0.0/8	00000001 00000000 00000000 00000000

Now for any other destination prefix like 1.1.2.0 longest match is 1.1.0.0/16 and for 1.2.0.0 it would be 1.0.0.0/8

Longest match possible in IPv4 routing is /32 (255.255.255.255) and shortest match possible is default route i.e. 0.0.0.0

->If there are multiple routes with same subnet mask learned via same protocol by router then router chooses lowest metric between them.

For Example: Eigrp use composite “metric” and Ospf uses “Cost” for comparison.

->If there is multiple routes with same subnet mask learn via different protocol on router then router chooses lowest administrative distance (AD).

->Last and important point is recursive lookup: which states that whenever there is route lookup more than once it will be termed as recursive lookup. It has to be done by router till destination address point towards any physical or logical interface.

Example:

We have a network 1.1.1.1 connected somewhere and we are reaching it by interface fa0/0 having next-hop IP address 2.2.2.2.So we can configure static route in two different ways either we can define next-hop IP address i.e.2.2.2.2 or we can mention interface number fa0/0 as gateway shown below.

ip route 1.1.1.1 255.255.255.255 2.2.2.2

ip route 1.1.1.1 255.255.255.255 FastEthernet0/0

Both statements look same although both have different meaning.When you point destination address to next hop as exit interface you don’t need further route lookup as router assume destination address is directly connected to that interface. But when you point destination address to any next hop ip address, we need another route lookup also for next hop ip address is referring as recursive lookup.

To get more information on how static route work when you set gateway as Next-Hop IP address or to Next-Hop interface please refer this document. 

Forwarding process: It is also known as switching process. Once router finds outgoing interface, packet move between interfaces by switching process. This is done by process switching, fast switching or cef switching. Forwarding can be done by using adjacency tables reside on the route processor or on interface cards that support switching.

-> Process switching requires the device CPU to be involved for every forwarding decision.

-> Fast switching still uses the CPU for initially packets and to fill cache table in router. Once initial packet has been forwarded, the information about how to reach the destination is stored in a fast-switching cache’s .when another packet going to the same destination, the next hop information can be re-used from the cache and so the router processor doesn’t have to look into it, but if the information is not cached the CPU will have to process entire packets.

-> When CEF mode is enabled it build the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding.

In switching process device do actual packet link load balancing depending on the methodology we use.

Encapsulation process: L3 header will remain intact unchanged except for nating, vpn etc. layer 2 headers keep changing on hop by hop basis, depending on transmission media. For transmitting L3 packet on wire router need to find out l2 information for packets and it’s depending on the type of media we are using for transmission.

To explain encapsulation process in bit detail, I have created a small topology shown as below in diagram.

As discussed above, depending on the transmission media (In this example transmission media is Ethernet) MAC address in layer 2 headers will keep changing on hop by hop basis.

To generate some traffic, Lets ping from R3 to R2 interface address.As soon as R1 receives the packet from R3, It will remove the L2 information sent by R3 and check the L3 information that is source (20.1.1.2) and destination address (10.1.1.1) available on packet. Then it will look into its routing table to find out going interface i.e. fa0/0 in above example. Once router identify outgoing interface it will attach L2 header before putting the packet on the wire. So now R1 will attach its own interface Mac address as source and R2’s as destination mac address.

Address resolution protocol (ARP) table on R1:

To get closer packet level overview, I have also attached some packet capture taken on R1's interfaces.

Packet capture on R1’s Fa0/1:

Packet capture on R1’s Fa0/0:

Well!!!! There ends my first blog and I think i managed to brief how routers handle the packet.

Thank you for reading and Hope that is informative

                                              

Destination   prefix	Binary Splitting
1.1.1.1	00000001 00000001 00000001 00000001
1St   Entry 1.1.1.0/24	00000001 00000001 00000001 00000000
2nd   Entry 1.1.0.0/16	00000001 00000001 00000000 00000000
3rd   Entry 1.0.0.0/8	00000001 00000000 00000000 00000000

How to configure static NAT with route-maps

Introduction:

A static Network Address Translation (NAT) configuration creates a simple translation entry in the NAT table,  translating a particular local address to a specific global address and vice versa. These entries always remain in the table and are removed only if the configuration is removed.The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an access list exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

Static NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same inside local address needs to be translated to more than one inside global address, depending on where the traffic is destined. This type of configuration will create an extended translation entry in the NAT table and will be useful when a network is multi-homed to different provider networks or partner networks, and the same inside local address has to be translated to different inside global addresses.

This method is also useful when using NAT and IP Security (IPsec) together on a router to reach a public network like the Internet, as well as other Virtual Private Network (VPN) sites through the same NAT outside interface. The route-map option can be used to translate only traffic going to the public network. It does not translate traffic destined for other VPN sites reached through the public network. Though there are other ways of achieving the same thing, this option allows the user to implement such a scenario without degrading router performance.

Configuration overview:

To configure static NAT with route maps, use the following steps:

1) The first step in any NAT configuration is to define the inside and outside interfaces.
This can be done by issuing the ip nat inside command and the ip nat outside command under the specific interface configuration mode.

2) Use the following command to define an extended access list and the parameters of the access list:

access−list <acl−number> {deny|permit} <protocol> <source> <source−wildcard> <destination> <destination−wildcard>

The access list should specify which traffic arriving at the inside interface and destined to the outside interface is eligible to create a translation entry.

3) Configure route map and define the parameters of the route map.

4) Use below command to enable static NAT with route maps configured on the inside interface:

ip nat inside source list {acl−number|acl−name} pool pool−name[overload]|static local−ip global−ip route−map map−name}

Configuration overview:

A router R1 connects to the Internet through interface serial0/0 and is connected through interface serial0/1 to a partner network which uses the 192.168.1.0/24 address space. The LAN interface of the router is connected to the corporate inside network which belongs to the 10.0.0.0/8 network. The requirement is that an inside host 10.1.1.10, which could be a mail server, should be translated to address 200.1.1.10 when communicating with the Internet. The same host should be translated to the 172.16.1.10 address when communicating with the partner network.

Topology Diagram:

Router R1 static NAT with route map configuration:

STEP: 1
interface Fa0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!---This connects to the corporate network, designated as NAT inside interface.

interface S0/0
ip address 200.1.1.1 255.255.255.0
ip nat outside
!---This connects to Internet, designated as NAT outside interface.

interface Serial0/1
ip address 172.16.1.1 255.255.255.0
ip nat outside
!---This connects to the Partner network, designated as NAT outside interface

STEP: 2
access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
!---This Access Control List (ACL) permits traffic from all hosts in the corporate network destined for the partner network.

access-list 101 permit ip 10.0.0.0 0.255.255.255 any
!---This ACL permits traffic from all hosts in the corporate network going to any destination on the Internet.

STEP: 3
route-map topartners permit 10
match ip address 100
set ip next-hop 172.16.1.2
!---This route-map matches all traffic matched by ACL 100 and going out of interface serial 0/1. In other words, all traffic from the corporate network to the partner network is matched.

route-map tointernet permit 10
match ip address 101
set ip next-hop 200.1.1.2
!---This route-map matches all traffic matched by ACL 101 and going out of interface serial 0/0. In other words, all traffic from the corporate network to the Internet is matched.

STEP: 4
ip nat inside source static 10.1.1.10 172.16.1.10 route-map topartners
!---The above line configures a static NAT mapping for the inside host 10.1.1.10 to the global address 172.16.1.10 to be used for traffic matched by the route-map to partners.

ip nat inside source static 10.1.1.10 200.1.1.10 route-map tointernet
!---The above line configures a static NAT mapping for the inside host 10.1.1.10 to the global address 200.1.1.10 to be used for traffic matched by the route-map to the Internet.

Verification command: