Jon,

We're doing our second phase test tomorrow. I have a lot of departments involved, but I made changes since the first phase. I had the original 10.0.0.0/8 static, but we were having flaky issues, so I created statics for the particular subnet that we were on. That seemed to work fine, but I decided that even better, I would just change to nat exemption. I've got the statics configured as a backup in case the nat exemptions don't seem to work.

My nat exemption looks like:

access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0

access-list NONAT permit ip 10.128.0.0 255.255.255.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

My inside networks are 10.125 and 10.128, but I have several others, and the dmz interfaces are 10.45.x.x.

I don't think I'll have problems with the above, but just in case I have a static list set aside.

Does it look okay to you?

John

John

Should the NAT exemption acl not be using a 255.252.0.0 subnet mask as in your statics or are the actual networks 10.125.0/24 & 10.128.0/24 ?

Jon

I'm not summarizing in the acl like I was in the static. It's currently each subnet with /16 masks to cover all of the 10.125.x.x subnets instead of trying to cover 10.125, .126, .127, etc.

Overall, does the nat exemption look like it would work? I could summarize it looks like the nat exemption config looks like it would work. :-)

Thanks!

John

John

This is one of the most confusing conversations i've had with you :-)

You have in your acl

access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0

but you say you are using /16 to cover all 10.125.x.x subnets.

What am i missing ?

Jon

LOL! Ooops..... it was a typo:

access-list NONAT line 1 extended permit ip Subnet_10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xdc7faead

access-list NONAT line 2 extended permit ip Subnet_10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b

name 10.125.0.0 Subnet_10.125.0.0

name 10.126.0.0 Subnet_10.126.0.0

name 10.127.0.0 Subnet_10.127.0.0

name 10.128.0.0 Subnet_10.128.0.0

LOL! Sorry :)

No problem, thought it was me.

Yes your NAT exemption acl's look fine.

Good luck with the change.

Jon

Good :) Thanks! I'll let you know on Monday. If everything goes well Saturday, we're going to leave it in permanently.

On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)

Thanks Jon!

John

"On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)"

Glad to hear it. I do remember as i have had to do that sort of thing so many times before in different jobs.

John

Last post missed off a load of stuff i had typed.

What i was going to say was that now you know how to automate things with Expect it's addictive. Soon you'll be thinking of all sorts of things you can write a script.

Word of warning though. When i was a unix admin one of my colleagues told a story about

an admin he used to know who got so into Expect he virtually automated his entire job to the point where he barely had to turn up to work. So the company decided they didn't need him anymore.

So best not to automate too much :-)

Jon

LOL! Good tip :)