need help with NAT statement

Answered Question
Jun 23rd, 2008
User Badges:

On an External interface :

interface FastEthernet3/0

description $FW_OUTSIDE$$ETH-WAN$

ip address ***.***.***.243 255.255.255.248

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex full

speed 100

ids-service-module monitoring

no mop enabled

crypto map cm-cryptomap


We have a NAT statement :

ip nat inside source route-map Staging interface FastEthernet3/0 overload


With a route-map:

route-map Staging permit 10

match ip address 120


And an IP access lilst 120 of :

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.10.71.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.112.0 0.0.15.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.14.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.72.0 0.0.0.255

access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.72.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.8.0 0.0.3.255

access-list 120 deny ip 10.10.8.0 0.0.3.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny tcp 10.10.72.0 0.0.0.255 any eq smtp log

access-list 120 permit ip 10.10.72.0 0.0.0.255 any


For some reason I cannot access 10.10.72.0 from 10.98.0.0 (via VPN to that interface) as I think it's natting the IP I am tryin to access (10.10.72.1).


How do I stop the natting of 10.98.0.0 when trying to access 10.10.72.0 ?

Correct Answer by Richard Burts about 8 years 11 months ago

Nelson


The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255

and make sure that it gets added before the permit statement in the access list.


HTH


Rick

Correct Answer by tekha about 8 years 11 months ago

So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?

If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"

just above the last line in the present ACL 120.

Did it work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Richard Burts Mon, 06/23/2008 - 07:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


You have not given us enough information to really understand your problem or to suggest a solution. Where is 10.98.0.0? Where is 10.10.72.0? Does that traffic really go through interface FA3/0? If so is the traffic direction inbound on the interface or outbound on the interface? Perhaps if you supply that information we might be able to suggest a solution.


HTH


Rick

pipsadmin Mon, 06/23/2008 - 07:57
User Badges:

I'm in 1 location where 10.98.0.0 is, I access this router via VPN on the router, which 10.10.72.0 resides on that router (10.10.72.1)


see the diagram attached.



Attachment: 
Correct Answer
tekha Mon, 06/23/2008 - 12:31
User Badges:
  • Bronze, 100 points or more

So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?

If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"

just above the last line in the present ACL 120.

Did it work?

Correct Answer
Richard Burts Mon, 06/23/2008 - 12:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255

and make sure that it gets added before the permit statement in the access list.


HTH


Rick

Richard Burts Tue, 06/24/2008 - 05:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nelson


I am glad that we were able to help you find a solution for your problem. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will see a solution that solved the problem.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion