mohammedmahmoud Tue, 06/05/2007 - 06:16
User Badges:
  • Green, 3000 points or more

Hi,


Kindly use:


router#show ip nat translations | include


Where x is the part of the line (ex: IP address) you want to filter with.



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

brianjp2472 Tue, 06/05/2007 - 06:29
User Badges:

Thanks so much. Another question:


I have found the ip address and I see a connection established to an external server, the problem in I have denied the ip address in the acl from any outside connections.


here is my acl:

access-list 101 deny ip host 10.10.10.109 any


but the nat translation shows an ipsec vpn nat-T connection on port 4500.


how do I block this?


mohammedmahmoud Tue, 06/05/2007 - 06:41
User Badges:
  • Green, 3000 points or more

Hi,


You are always welcomed :)


This issue is due to the NAT order of operation as the output access list is checked after the NAT is done, to solve this issue, put in input access list on the LAN interface to deny the traffic when it is entered before being NATed.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Actions

This Discussion