From: Pierre-Alex (paguanel@hotmail.com)
Date: Fri Sep 15 2006 - 02:05:40 ART
"Any" does works. What does not work is "any any" in the last line of the
access-list .
Cannnot explain why though ...
Here it is labbed:
access-list 104 deny tcp host 192.168.14.1 eq bgp host 192.168.14.2
access-list 104 deny tcp host 192.168.14.2 eq bgp host 192.168.14.1
access-list 104 permit ip 192.168.15.0 0.0.0.255 any
(192.168.14.1 and 192.168.14.2 are the ebgp hosts, 192.168.15.0/24 is a
subnet in the inside network)
Doing a ping from the inside subnet:
r4#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 192.168.14.1:174 192.168.15.1:174 150.1.2.2:174 150.1.2.2:174
icmp 192.168.14.1:175 192.168.15.1:175 150.1.2.2:175 150.1.2.2:175
icmp 192.168.14.1:176 192.168.15.1:176 150.1.2.2:176 150.1.2.2:176
icmp 192.168.14.1:177 192.168.15.1:177 150.1.2.2:177 150.1.2.2:177
icmp 192.168.14.1:178 192.168.15.1:178 150.1.2.2:178 150.1.2.2:178
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
192.168.14.2 4 200 30 31 6 0 0 00:09:05
1 ---------------> UP for 9 minutes
NB: if you use "any any" in the last line of the access-list you get
r4#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 192.168.14.1:1030 192.168.14.1:45549 192.168.14.2:179
192.168.14.2:179
and then
r4#
*Mar 1 02:52:43.512: BGP: 192.168.14.2 open active, local address
192.168.14.1
*Mar 1 02:52:43.520: BGP: 192.168.14.2 open failed: Connection refused by
remote host
----- Original Message -----
From: "shha" <shha77@gmail.com>
To: "xprtofnet" <xprtofnet@yahoo.com>
Cc: "Brian Dennis" <bdennis@internetworkexpert.com>; "ccielab"
<ccielab@groupstudy.com>
Sent: Friday, September 15, 2006 1:17 AM
Subject: Re: BGP with NAT
> or add
> ip nat inside source static tcp x.x.x.x 179 x.x.x.x 179
>
>
>
> On 9/14/06, shha <shha77@gmail.com> wrote:
>>
>> change access-list point to inside netwok, don't use any to solve the
>> problem
>>
>>
>> On 9/14/06, xprtofnet <xprtofnet@yahoo.com> wrote:
>> >
>> > this is also working..
>> >
>> > !
>> > ip nat pool a 220.0.0.1 220.0.0.1 netmask
>> > 255.255.255.0
>> > ip nat inside source list 1 pool a
>> > !
>> > access-list 1 permit any
>> >
>> >
>> >
>> > --- Brian Dennis < bdennis@internetworkexpert.com>
>> > wrote:
>> >
>> > > What does your ACL look like?
>> > >
>> > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>> > > bdennis@internetworkexpert.com
>> > >
>> > > Internetwork Expert, Inc.
>> > > http://www.InternetworkExpert.com
>> > > <http://www.internetworkexpert.com/>
>> > > Toll Free: 877-224-8987
>> > > Direct: 775-745-6404 (Outside the US and Canada)
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com
>> > > [mailto:nobody@groupstudy.com] On Behalf Of
>> > > xprtofnet
>> > > Sent: Thursday, September 14, 2006 1:50 PM
>> > > To: xprtofnet; ccielab
>> > > Subject: Re: BGP with NAT
>> > >
>> > > got it---overload was doing port translation.
>> > >
>> > > following works---any other inputs are welcome
>> > >
>> > > on R1
>> > >
>> > > ip nat pool a 220.0.0.1 220.0.0.1 netmask
>> > > 255.255.255.0 type rotary ip
>> > > nat inside source list 1 pool a
>> > >
>> > > --- xprtofnet <xprtofnet@yahoo.com> wrote:
>> > >
>> > > > Folks,
>> > > >
>> > > > here is the scenario..
>> > > >
>> > > > Back-Bone_OUTSIDE_e0/2_R1-e0/0--INSIDE network
>> > > >
>> > > > R1 and BackBone has eBGP connection
>> > > >
>> > > > Inside Networks are NOT advertised to BackBone
>> > > >
>> > > > But communication needs to happen with Backbone
>> > > and INSIDE network
>> > > >
>> > > > when i do this on R1 the eBGP session drops
>> > > >
>> > > > R1
>> > > > ip nat inside source list 1 interface e0/2
>> > > overload
>> > > >
>> > > > e0/2
>> > > > ip nat outside
>> > > >
>> > > > e0/1
>> > > > ip nat inside
>> > > >
>> > > > Any tips on how to keep BGP UP ? and have NAT
>> > > working ?
>> > > >
>> > > > Thank you,
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > __________________________________________________
>> > > > Do You Yahoo!?
>> > > > Tired of spam? Yahoo! Mail has the best spam
>> > > protection around
>> > > > http://mail.yahoo.com
>> > > >
>> > > >
>> > >
>> > _______________________________________________________________________
>> > > > Subscription information may be found at:
>> > > > http://www.groupstudy.com/list/CCIELab.html
>> > > >
>> > >
>> > >
>> > > __________________________________________________
>> > > Do You Yahoo!?
>> > > Tired of spam? Yahoo! Mail has the best spam
>> > > protection around
>> > > http://mail.yahoo.com
>> > >
>> > >
>> > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> >
>> >
>> > __________________________________________________
>> > Do You Yahoo!?
>> > Tired of spam? Yahoo! Mail has the best spam protection around
>> > http://mail.yahoo.com
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.12.3/447 - Release Date: 9/13/2006
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART