From: Usama Pervaiz (chaudri@gmail.com)
Date: Wed Mar 18 2009 - 00:35:50 ART
I had a question about NAT being applied to a router on a stick. If i
have 2 interfaces (fa0/0 and fa0/1). fa0/0 is the outside interface
and fa0/1 is the inside interface which is divided up into
subinterfaces (fa0/1.50, fa0/1.60 and fa0/1.70). Config following:
int fa0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.50
encapsulation dot1Q 50
ip address 10.10.50.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.60
encapsulation dot1Q 60
ip address 10.10.60.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.70
encapsulation dot1Q 70
ip address 10.10.70.1 255.255.255.0
ip nat inside
!
ip nat inside source route-map TST interface fa0/0 overload
!
route-map TST permit 10
match interface fa0/1
match ip address NAT
!
ip access-list ext NAT
deny ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 10.10.60.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 10.10.70.0 0.0.0.255 10.10.0.0 0.0.255.255
permit ip any any
For inter-Vlan routing to work properly do I really need the deny
statements in my access-list to deny the address from being natted? To
my understanding NAT is the first thing that happens when a packet
hits the interface. Is that true? Also how would an access-list on the
subinterfaces in the inbound direction work then?
Any and all help is appreciated!
Usama.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART