From: Usama Pervaiz (chaudri@gmail.com)
Date: Wed Mar 18 2009 - 09:23:55 ART
Hey guys,
Sorry for the lack of info and thanks for the links! that basically
answered my questions.
Usama
On Wed, Mar 18, 2009 at 8:05 AM, Edouard Zorrilla <ezorrilla@tsf.com.pe> wrote:
> 1.-
> Inside:
>
>> route-map TST permit 10
>> match interface fa0/1
>> match ip address NAT
>
> You do not need match interface0/1 since the packet is already there
>
> 2.-
> From inside to outside, routing happens first:
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
>
> So you do not need to deny in the access-list.
>
> Regards
>
> ----- Original Message ----- From: "Usama Pervaiz" <chaudri@gmail.com>
> To: "Cisco certification" <ccielab@groupstudy.com>
> Sent: Tuesday, March 17, 2009 10:35 PM
> Subject: NAT with router on a stick
>
>
>> I had a question about NAT being applied to a router on a stick. If i
>> have 2 interfaces (fa0/0 and fa0/1). fa0/0 is the outside interface
>> and fa0/1 is the inside interface which is divided up into
>> subinterfaces (fa0/1.50, fa0/1.60 and fa0/1.70). Config following:
>>
>>
>> int fa0/0
>> ip address 20.20.20.1 255.255.255.0
>> ip nat outside
>> !
>> interface FastEthernet0/1
>> no ip address
>> duplex auto
>> speed auto
>> !
>> interface FastEthernet0/1.50
>> encapsulation dot1Q 50
>> ip address 10.10.50.1 255.255.255.0
>> ip nat inside
>> !
>> interface FastEthernet0/1.60
>> encapsulation dot1Q 60
>> ip address 10.10.60.1 255.255.255.0
>> ip nat inside
>> !
>> interface FastEthernet0/1.70
>> encapsulation dot1Q 70
>> ip address 10.10.70.1 255.255.255.0
>> ip nat inside
>> !
>> ip nat inside source route-map TST interface fa0/0 overload
>> !
>> route-map TST permit 10
>> match interface fa0/1
>> match ip address NAT
>> !
>> ip access-list ext NAT
>> deny ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
>> deny ip 10.10.60.0 0.0.0.255 10.10.0.0 0.0.255.255
>> deny ip 10.10.70.0 0.0.0.255 10.10.0.0 0.0.255.255
>> permit ip any any
>>
>> For inter-Vlan routing to work properly do I really need the deny
>> statements in my access-list to deny the address from being natted? To
>> my understanding NAT is the first thing that happens when a packet
>> hits the interface. Is that true? Also how would an access-list on the
>> subinterfaces in the inbound direction work then?
>>
>> Any and all help is appreciated!
>>
>> Usama.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
-- ----------------------------------------------------- You're the only one who can hold your head up high, Shake your fist at the gates saying, "I have come home now!"Fetch me the spirit, the son and the father, Tell them their pillar of faith has ascended.
"It's time now! My time now! Give me my Give me my own wings!"... -------------------------------------------------------
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART