Re: NAT with router on a stick

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Wed Mar 18 2009 - 08:55:39 ART

• Next message: Dale Shaw: "Re: VACL vs ACL"
• Previous message: Pavel Bykov: "Re: Dynamips - ubuntu"
• Maybe in reply to: Usama Pervaiz: "NAT with router on a stick"
• Next in thread: Edouard Zorrilla: "Re: NAT with router on a stick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Usama,

You forgot to provide us with the complete network (ie, where the inter-VLAN
routing takes place). As for the order of operation of a packet on an
interface, it depends on whether its inbound or outbound, more here though:
http://6200networks.com/2008/09/30/ios-order-of-operation/

As for your question below, it really depends on what you have upstream and
where the packets are destined for. Sorry, not very explanatory but this is
probably due to lack of information on what it is you are trying to do.

HTH a little,
Sadiq

On Wed, Mar 18, 2009 at 3:35 AM, Usama Pervaiz <chaudri@gmail.com> wrote:

> I had a question about NAT being applied to a router on a stick. If i
> have 2 interfaces (fa0/0 and fa0/1). fa0/0 is the outside interface
> and fa0/1 is the inside interface which is divided up into
> subinterfaces (fa0/1.50, fa0/1.60 and fa0/1.70). Config following:
>
>
> int fa0/0
> ip address 20.20.20.1 255.255.255.0
> ip nat outside
> !
> interface FastEthernet0/1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet0/1.50
> encapsulation dot1Q 50
> ip address 10.10.50.1 255.255.255.0
> ip nat inside
> !
> interface FastEthernet0/1.60
> encapsulation dot1Q 60
> ip address 10.10.60.1 255.255.255.0
> ip nat inside
> !
> interface FastEthernet0/1.70
> encapsulation dot1Q 70
> ip address 10.10.70.1 255.255.255.0
> ip nat inside
> !
> ip nat inside source route-map TST interface fa0/0 overload
> !
> route-map TST permit 10
> match interface fa0/1
> match ip address NAT
> !
> ip access-list ext NAT
> deny ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
> deny ip 10.10.60.0 0.0.0.255 10.10.0.0 0.0.255.255
> deny ip 10.10.70.0 0.0.0.255 10.10.0.0 0.0.255.255
> permit ip any any
>
> For inter-Vlan routing to work properly do I really need the deny
> statements in my access-list to deny the address from being natted? To
> my understanding NAT is the first thing that happens when a packet
> hits the interface. Is that true? Also how would an access-list on the
> subinterfaces in the inbound direction work then?
>
> Any and all help is appreciated!
>
> Usama.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Dale Shaw: "Re: VACL vs ACL"
• Previous message: Pavel Bykov: "Re: Dynamips - ubuntu"
• Maybe in reply to: Usama Pervaiz: "NAT with router on a stick"
• Next in thread: Edouard Zorrilla: "Re: NAT with router on a stick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART