Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Question on TAC Authored NAT/IPSec Configuration

Please refer to:

http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080094634.shtml

Document ID: 14144

I am probably missing something here. This is about access-list 122 which is identified in the ip nat inside source list statement on router Daphne.

ip nat inside source list 122 interface Ethernet0/1 overload

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 deny ip host 10.1.1.3 any

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

This is my confusion: The route-map "nonat" identifies traffic that has a source host address of 10.1.1.3 and sets the next hop to 1.1.1.2.

Policy routing is executed on an interface before NAT is (going inside-to-outside). Therefore, traffic from the host 10.1.1.3 going to 172.16.1.x does not even get the chance to be apart of the NAT process because it is being policy routed to a non-natted interface. So why then have the first two deny statements in access-list 122?

Please let me know if I have missed something...

Thank you!

Scott

  • Other Network Infrastructure Subjects
1 REPLY
New Member

Re: Question on TAC Authored NAT/IPSec Configuration

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

! -- used to prevent the traffic from 10.1.1x to 172.16.1.x from doing PAT, this traffic is not included in the route map nonat

access-list 122 deny ip host 10.1.1.3 any

! -- used to prevent the traffic from host 10.1.1.3 to do the PAT, but still can do the static NAT.

93
Views
0
Helpful
1
Replies