From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Mon Aug 04 2008 - 23:31:59 ART
Hi GS,
I've just read this statement from NAT configuration guide, saying that
NAT does not support ACL with permit ip any any. I understand that ACL
permit all is not recommended, as we might get NAT traffic translated in
an undesired way (e.g. BGP , OSPF might get translated, braking neighbor
relationship).
But I do not see a reason, as to why the ACL permit ip any any is not
supported. In fact, I setup a simple case, and my NAT is just working
fine.
Any idea?
Quoted from NAT Configuration Guide:
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_ad
dr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Restrictions for Configuring NAT for IP Address Conservation
"If you specify an access list to use with a NAT command, NAT does not
support the commonly used permit ip any any command in the access list."
My simple topology showing NAT using this ACL is SUPPORTED.
R1 ---- R2 ---- R3
Inside | Outside
R2#sh run | in interface|address|nat|access
interface Serial1/0.1 point-to-point
ip address 12.0.0.2 255.255.255.0
ip nat inside
frame-relay interface-dlci 201
interface Serial1/1
ip address 23.0.0.2 255.255.255.0
ip nat outside
ip nat inside source list 100 interface Serial1/1 overload
access-list 100 permit ip any any
R1 has default route pointing to R2
R3 does not need a route back to the subnet between R1&R2, as it is
seating behind a natting device R2.
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/49/140 ms
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside
global
icmp 23.0.0.2:1 12.0.0.1:1 23.0.0.3:1 23.0.0.3:1
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART