From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Sun Oct 08 2006 - 10:14:53 ART
"Basically, NAT with route-map is more secure than normal NAT with ACL
without overload."
Could you please be more specific here? Just a sample configuration...
Cheers,
A.
Chee Chew Leong wrote:
> I think your understanding is only partially correct. After many tests with
> disregard to indirectly (not straight to point) explaining from Cisco
> configuration guide, now I undestand why we need reversible keywords when
> we are using nat with route-map.
>
> Basically, NAT with route-map is more secure than normal NAT with ACL
> without overload.
>
>
> -----nobody@groupstudy.com wrote: -----
>
>
> To: Chee Chew Leong/ASIA/CSC@CSC
> From: Alexei Monastyrnyi <alexeim@orcsoftware.com>
> Sent by: nobody@groupstudy.com
> Date: 10/07/2006 04:49PM
> cc: ccielab@groupstudy.com
> Subject: Re: nat-reversible
>
> Heya.
>
> "reversible - (Optional) Enables outside-to-inside initiated sessions to
> use routemaps for destination-based NAT"
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_i2h.htm#wp1178184
>
>
> In other words, if you have a destination-based NAT, with usual NAT pool
> you will never get a traffic inside for this translation until there is
> a traffic flow from inside to outside (for given source-destination
> pair). This is because NAT entries for pools are created dynamically, so
> no traffic flow, no entry, basically.
>
> If I understand things right, with "reversible" keyword the entry is
> created as soon as router detects an opposite traffic flow.
>
> If you limit hosts number to 1 in both pool and catching ACL, you may
> think of it as of "destination-based" static NAT. :-)
>
> HTH
> A.
>
> Chee Chew Leong wrote:
>
>> Anyone kind enough to guide me what is NAT with reversible keyword for.
>>
>> If we take a look on from the configuration guide, what is the example
>> trying to tell us and its functionality.
>>
>> ip nat pool POOL-A 30.1.10.1 30.1.10.126 netmask 255.255.255.128
>> ip nat pool POOL-B 30.1.20.1 30.1.20.126 netmask 255.255.255.128
>> ip nat inside source route-map MAP-A pool POOL-A reversible
>> ip nat inside source route-map MAP-B pool POOL-B reversible
>> !
>> ip access-list extended ACL-A
>> permit ip any 30.1.10.128 0.0.0.127
>> ip access-list extended ACL-B
>> permit ip any 30.1.20.128 0.0.0.127
>> !
>> route-map MAP-A permit 10
>> match ip address ACL-A
>> !
>> route-map MAP-B permit 10
>> match ip address ACL-B
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery. NOTE: Regardless of content, this e-mail shall not operate to
> bind CSC to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of e-mail
> for such purpose.
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART