From: Mukom TAMON (mukom.tamon@gmail.com)
Date: Wed Mar 18 2009 - 09:26:24 ART
The 10.10.0.0/24 network your access list is denying ... is it out the
outside interfaces? Also I don't think NAT kicks in until it leaves an
inside to outside interface.
M.A. TAMON
B.Eng, CCNP, CCNA
M.A. TAMON
B.Eng, CCNP, CCNA
_________________________
"A man owns nothing, not land or money, only his character, the loyalty &
courage in his heart" - Commander Chakotay - StarTrek Voyager
My BLOGs:
[ICT Business Integration] - http://ibiztech.wordpress.com
[Leadership Lessons from Movies] - http://thbs.wordpress.com
[In Search of Excellence & Perfection] - http://perfexcellence.wordpress.com
[Technical How-Tos & Stuff-at-a-Glance] - http://techowto.wordpress.com
On Wed, Mar 18, 2009 at 12:55 PM, Sadiq Yakasai <sadiqtanko@gmail.com>wrote:
> Hi Usama,
>
> You forgot to provide us with the complete network (ie, where the
> inter-VLAN
> routing takes place). As for the order of operation of a packet on an
> interface, it depends on whether its inbound or outbound, more here though:
> http://6200networks.com/2008/09/30/ios-order-of-operation/
>
> As for your question below, it really depends on what you have upstream and
> where the packets are destined for. Sorry, not very explanatory but this is
> probably due to lack of information on what it is you are trying to do.
>
> HTH a little,
> Sadiq
>
> On Wed, Mar 18, 2009 at 3:35 AM, Usama Pervaiz <chaudri@gmail.com> wrote:
>
> > I had a question about NAT being applied to a router on a stick. If i
> > have 2 interfaces (fa0/0 and fa0/1). fa0/0 is the outside interface
> > and fa0/1 is the inside interface which is divided up into
> > subinterfaces (fa0/1.50, fa0/1.60 and fa0/1.70). Config following:
> >
> >
> > int fa0/0
> > ip address 20.20.20.1 255.255.255.0
> > ip nat outside
> > !
> > interface FastEthernet0/1
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet0/1.50
> > encapsulation dot1Q 50
> > ip address 10.10.50.1 255.255.255.0
> > ip nat inside
> > !
> > interface FastEthernet0/1.60
> > encapsulation dot1Q 60
> > ip address 10.10.60.1 255.255.255.0
> > ip nat inside
> > !
> > interface FastEthernet0/1.70
> > encapsulation dot1Q 70
> > ip address 10.10.70.1 255.255.255.0
> > ip nat inside
> > !
> > ip nat inside source route-map TST interface fa0/0 overload
> > !
> > route-map TST permit 10
> > match interface fa0/1
> > match ip address NAT
> > !
> > ip access-list ext NAT
> > deny ip 10.10.50.0 0.0.0.255 10.10.0.0 0.0.255.255
> > deny ip 10.10.60.0 0.0.0.255 10.10.0.0 0.0.255.255
> > deny ip 10.10.70.0 0.0.0.255 10.10.0.0 0.0.255.255
> > permit ip any any
> >
> > For inter-Vlan routing to work properly do I really need the deny
> > statements in my access-list to deny the address from being natted? To
> > my understanding NAT is the first thing that happens when a packet
> > hits the interface. Is that true? Also how would an access-list on the
> > subinterfaces in the inbound direction work then?
> >
> > Any and all help is appreciated!
> >
> > Usama.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART