From: Lee Waskevich (ciscokid@xxxxxxxxxx)
Date: Thu Jun 14 2001 - 23:08:15 GMT-3
I have a similar scenario which i use to selectively nat traffic based on
parameters in an extended access-list, i use it to bypass the regular nat
function and apply crypto parameters for traffic goin out the same
interface, but i dont see why points 4 and 5 of your explanation wouldn't
work. Once a packet has passed an inside to outside interface and matched
the nat rules there is no reason for the packet to be translated again. See
below config: public ips have been left out. Hope this gives a start. You
should not even need a routemap forcing packet back out original interface.
Just a static route for your destination, which is pointing out that
interface. Once the packet enters and is forced thru loopback and natted,
it will follow normal process switching.
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial0
ip address x.x.x.x 255.255.255.252
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map vpn
!
interface Serial1
no ip address
shutdown
!
interface FastEthernet0
ip address 10.193.0.62 255.255.255.240
ip nat inside
ip route-cache policy
ip policy route-map nonat
speed auto
full-duplex
!
ip nat pool fairhill x.x.x.x x.x.x.x netmask 255.255.255.240
ip nat inside source list 103 pool fairhill overload
ip nat inside source static 10.193.0.49 x.x.x.x
ip nat inside source static 10.193.0.50 x.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.193.0.48 0.0.0.15 10.0.0.0 0.255.255.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 deny ip 10.193.0.48 0.0.0.15 10.0.0.0 0.255.255.255
access-list 103 permit ip 10.193.0.48 0.0.0.15 any
access-list 104 permit ip 10.193.0.48 0.0.0.15 10.0.0.0 0.255.255.255
access-list 104 deny ip 10.193.0.48 0.0.0.15 any
route-map nonat permit 10
match ip address 104
set interface Loopback0
Since this is half of the config how about just buyin first round if i pass
in RTP on 07/09??? :)
Lee
At 09:18 PM 6/14/2001 -0400, you wrote:
>Darren,
> I seem to remember someone in the TAC had once come up with a really
>kludgy way to do this (i.e. you should think of a better design to meet
>your needs) but it went something like this:
>
>- policy routing in junction with the use of loopbacks
>- ip nat inside on the incoming interface
>- policy route the traffic to a loopback
>- ip nat outside on a loopback
>- policy route the traffic back out the incoming interface. You may need
>to use a second loopback to do this, I can't recall the exact method or
>order of events (I had asked for the config but never received it, it
>might not have worked).
>
>Again, I would never suggest anyone ever do this but it is an interesting
>exercise in "creative" ways you can do things with Cisco routers. Anyone
>up to the challenge in figuring it out? I'll buy lunch as the prize for
>the first person that gives me a working solution. Of course, you have to
>be coming to RTP for the lab in order to collect... ;-)
>
>Brian
>
>
>
>On Fri, 15 Jun 2001, Darren Hosking wrote:
>
> > Is it possible to do "NAT on a stick"? In certain circumstances I want to
> > have packets enter a router on the inside interface then have NAT applied
> > and send them back out on the same interface?
> >
> > Any suggestions?
> >
> > Thanks, Darren
> > **Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3