route-map command

Answered Question
Oct 4th, 2005
User Badges:

hi,

I'm trying to configure router-to-router ipsec tunnel but i don't understant what mean the command :

"route-map nonat permit 10"


Can somebody explain it to me clearly ?


Regars

Correct Answer by jackko about 11 years 10 months ago

vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.


e.g.

interface Ethernet0

ip address

ip nat inside

interface Dialer0

ip address

ip nat outside


when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.


access-list 101 deny ip

access-list 101 permit ip any

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10

match ip address 101


with the sample above,

"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.

"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet

"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat

"route-map nonat permit 10

match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.

Correct Answer by froggy3132000 about 11 years 10 months ago

It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
froggy3132000 Tue, 10/04/2005 - 08:21
User Badges:
  • Bronze, 100 points or more

It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".



Correct Answer
jackko Tue, 10/04/2005 - 08:31
User Badges:
  • Gold, 750 points or more

vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.


e.g.

interface Ethernet0

ip address

ip nat inside

interface Dialer0

ip address

ip nat outside


when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.


access-list 101 deny ip

access-list 101 permit ip any

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10

match ip address 101


with the sample above,

"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.

"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet

"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat

"route-map nonat permit 10

match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.

Actions

This Discussion