RE: Malik book pg. 393, Example 13-30

From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Tue Feb 10 2004 - 22:12:24 GMT-3

• Next message: Calton, Doug: "RE: SNMP trap-source"
• Previous message: Ian Stong: "RE: HSSI cards back to back"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Can you post an example, or is this the basic router on a stick?

-----Original Message-----
From: Rodgers Moore [mailto:rodgers@the-moores.org]
Sent: Tuesday, February 10, 2004 5:22 PM
To: Marshall Stacks; security@groupstudy.com
Subject: Re: Malik book pg. 393, Example 13-30

Marshall,

I don't have this book, however you should find the next hop as
belonging
to a loop-back interface network. And, the IP is not applied to the
loopback interface either, but rather "past" it.

Now, why does this work. Nat only works when a packet enters and exits
a
router via two interfaces that have NAT configured and each are of
differing
sides (inside & outside) of the NAT configuration. Now, suppose that a
packet enters a NAT inside interface and exits a loop-back (the
loop-back is
not configured for NAT) What happens? nothing... nat does not occur
because
the packet exited the router on a non-NAT interface. Then the same
packet
enters a loop-back and exits a NAT outside interface. Again, NAT does
not
occur for the same reason.

In summary, policy routing on both the NAT inside and NAT outside
interfaces
via a loop-back guarantees NAT will not happen.

As to the two access lists. What happens when you have 10 VPN's?
you'll
have 11 ACL's. One for each crypto and one for the no-nat. If you know
that you'll never need a second VPN, then sure, one ACL is perfectly
acceptable.

Rodgers Moore

----- Original Message -----
From: "Marshall Stacks" <catheadcatheadcathead@hotmail.com>
To: <security@groupstudy.com>
Sent: Tuesday, February 10, 2004 10:25 AM
Subject: Malik book pg. 393, Example 13-30

> Hi,
>
> Regarding Example 13-30 on page 393 of Malik's "Network Security
Principles
> and Practices" book:
>
> Not quite understanding the route map that is created in order to
bypass
NAT:
>
> route-map nonat permit 10
> match ip address 120
> set ip next-hop 10.2.2.1
>
> Does this next-hop IP address make sense? Where does he get this
address?
>
> Seems to me you would want to have the next hop be the other side of
the
> IPsec tunnel? IOW, a 10.1.2.0 address.
>
> Also, I assume that it might be for clarity, but why not use _either_
> access list 100 or 120 in both the route map and crypto map? Instead
of
> having two separate access lists with exactly the same info?
>
> Thanks

• Next message: Calton, Doug: "RE: SNMP trap-source"
• Previous message: Ian Stong: "RE: HSSI cards back to back"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3