From: RSiddappa@xxxxxxxxxx
Date: Sat Feb 02 2002 - 22:54:36 GMT-3
John,
access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 175 permit ip 172.16.1.0 0.0.0.255 any
This one is denying any traffic from 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
from being getting NATed.
What is this command doing.
access-list 175 permit ip 172.16.1.0 0.0.0.255 any
I am getting confused.
Rajeev.
-----Original Message-----
From: John Kaberna [mailto:jkaberna@netcginc.com]
Sent: Saturday, February 02, 2002 7:41 PM
To: Siddappa, Rajeev; signal@shreve.net; cchurch@MAGNACOM.com
Cc: ccielab@groupstudy.com
Subject: Re: IPSec & NAT
ACL 110 is used by the route-map nonat. The route-map nonat is then being
used by the NAT configuration so it knows what to NAT or not to NAT.
Basically what happens is the router sends traffic out and it wants to NAT
that traffic even if it's supposed to be encrypted with IPSec. So to fix
that problem you prevent those packets from being NAT'd. You do that by
using a route-map and having an access-list of the traffic to prevent NAT.
It's due to the order of operations on a router. Since NAT comes before
IPSec processing on a router you have to do it this way. If IPSec came
first you wouldn't have this problem.
Does that make sense? It's a little bit difficult to explain.
John Kaberna
CCIE #7146
www.netcginc.com
(415) 750-3800
Instructor for CCIE R/S and Security 5-day class www.ccbootcamp.com
----- Original Message -----
From: <RSiddappa@NECBNS.com>
To: <signal@shreve.net>; <cchurch@MAGNACOM.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, February 02, 2002 5:28 PM
Subject: IPSec & NAT
> hi Guys,
>
> Can some one explain me what's happing with the following 110 access-list.
>
> http://www.cisco.com/warp/customer/707/overload_private.shtml
>
>
>
> Rajeev.
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:14 GMT-3