Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
1
Replies

Question on TAC Authored NAT/IPSec Configuration

s-chapin
Level 1
Level 1

‎11-19-2002 07:57 PM - edited ‎03-02-2019 03:01 AM

Please refer to:

http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080094634.shtml

Document ID: 14144

I am probably missing something here. This is about access-list 122 which is identified in the ip nat inside source list statement on router Daphne.

ip nat inside source list 122 interface Ethernet0/1 overload

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 deny ip host 10.1.1.3 any

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

This is my confusion: The route-map "nonat" identifies traffic that has a source host address of 10.1.1.3 and sets the next hop to 1.1.1.2.

Policy routing is executed on an interface before NAT is (going inside-to-outside). Therefore, traffic from the host 10.1.1.3 going to 172.16.1.x does not even get the chance to be apart of the NAT process because it is being policy routed to a non-natted interface. So why then have the first two deny statements in access-list 122?

Please let me know if I have missed something...

Thank you!

Scott

Labels:
0 Helpful
1 Reply 1

jeffrey.zhou
Level 1
Level 1

‎11-19-2002 10:45 PM

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

! -- used to prevent the traffic from 10.1.1x to 172.16.1.x from doing PAT, this traffic is not included in the route map nonat

access-list 122 deny ip host 10.1.1.3 any

! -- used to prevent the traffic from host 10.1.1.3 to do the PAT, but still can do the static NAT.

0 Helpful
Customers Also Viewed These Support Documents