cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
5
Helpful
6
Replies

need help with NAT statement

pipsadmin
Level 1
Level 1

On an External interface :

interface FastEthernet3/0

description $FW_OUTSIDE$$ETH-WAN$

ip address ***.***.***.243 255.255.255.248

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex full

speed 100

ids-service-module monitoring

no mop enabled

crypto map cm-cryptomap

We have a NAT statement :

ip nat inside source route-map Staging interface FastEthernet3/0 overload

With a route-map:

route-map Staging permit 10

match ip address 120

And an IP access lilst 120 of :

access-list 120 remark SDM_ACL Category=18

access-list 120 deny ip 10.10.71.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.112.0 0.0.15.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.14.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.72.0 0.0.0.255

access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.72.0 0.0.0.255

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.8.0 0.0.3.255

access-list 120 deny ip 10.10.8.0 0.0.3.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 120 deny tcp 10.10.72.0 0.0.0.255 any eq smtp log

access-list 120 permit ip 10.10.72.0 0.0.0.255 any

For some reason I cannot access 10.10.72.0 from 10.98.0.0 (via VPN to that interface) as I think it's natting the IP I am tryin to access (10.10.72.1).

How do I stop the natting of 10.98.0.0 when trying to access 10.10.72.0 ?

2 Accepted Solutions

Accepted Solutions

So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?

If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"

just above the last line in the present ACL 120.

Did it work?

View solution in original post

Nelson

The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255

and make sure that it gets added before the permit statement in the access list.

HTH

Rick

HTH

Rick

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Nelson

You have not given us enough information to really understand your problem or to suggest a solution. Where is 10.98.0.0? Where is 10.10.72.0? Does that traffic really go through interface FA3/0? If so is the traffic direction inbound on the interface or outbound on the interface? Perhaps if you supply that information we might be able to suggest a solution.

HTH

Rick

HTH

Rick

I'm in 1 location where 10.98.0.0 is, I access this router via VPN on the router, which 10.10.72.0 resides on that router (10.10.72.1)

see the diagram attached.

So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?

If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"

just above the last line in the present ACL 120.

Did it work?

Nelson

The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:

access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255

and make sure that it gets added before the permit statement in the access list.

HTH

Rick

HTH

Rick

thanks guys,.

that did it...

Nelson

I am glad that we were able to help you find a solution for your problem. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will see a solution that solved the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: