Re: NAT with router on a stick

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Wed Mar 18 2009 - 09:05:16 ART

• Next message: Vijay Karanth: "Formula for BC and BE"
• Previous message: Thomas Perrier: "Re: OT: CCSP and CCVP Resources"
• Maybe in reply to: Usama Pervaiz: "NAT with router on a stick"
• Next in thread: Usama Pervaiz: "Re: NAT with router on a stick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

1.-
Inside:

> route-map TST permit 10
> match interface fa0/1
> match ip address NAT

You do not need match interface0/1 since the packet is already there

2.-
From inside to outside, routing happens first:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

So you do not need to deny in the access-list.

Regards

----- Original Message -----
From: "Usama Pervaiz" <chaudri@gmail.com>
To: "Cisco certification" <ccielab@groupstudy.com>
Sent: Tuesday, March 17, 2009 10:35 PM
Subject: NAT with router on a stick

>I had a question about NAT being applied to a router on a stick. If i
> have 2 interfaces (fa0/0 and fa0/1). fa0/0 is the outside interface
> and fa0/1 is the inside interface which is divided up into
> subinterfaces (fa0/1.50, fa0/1.60 and fa0/1.70). Config following:
>
>
> int fa0/0
> ip address 20.20.20.1 255.255.255.0
> ip nat outside
> !
> interface FastEthernet0/1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet0/1.50
> encapsulation dot1Q 50
> ip address 10.10.50.1 255.255.255.0
> ip nat inside
> !
> interface FastEthernet0/1.60
> encapsulation dot1Q 60
> ip address 10.10.60.1 255.255.255.0
> ip nat inside
> !
> interface FastEthernet0/1.70
> encapsulation dot1Q 70
> ip address 10.10.70.1 255.255.255.0
> ip nat inside
> !
> ip nat inside source route-map TST interface fa0/0 overload
> !
> route-map TST permit 10
> match interface fa0/1
> match ip address NAT
> !
> ip access-list ext NAT
> deny ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
> deny ip 10.10.60.0 0.0.0.255 10.10.0.0 0.0.255.255
> deny ip 10.10.70.0 0.0.0.255 10.10.0.0 0.0.255.255
> permit ip any any
>
> For inter-Vlan routing to work properly do I really need the deny
> statements in my access-list to deny the address from being natted? To
> my understanding NAT is the first thing that happens when a packet
> hits the interface. Is that true? Also how would an access-list on the
> subinterfaces in the inbound direction work then?
>
> Any and all help is appreciated!
>
> Usama.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Vijay Karanth: "Formula for BC and BE"
• Previous message: Thomas Perrier: "Re: OT: CCSP and CCVP Resources"
• Maybe in reply to: Usama Pervaiz: "NAT with router on a stick"
• Next in thread: Usama Pervaiz: "Re: NAT with router on a stick"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART