Re: Excluding a subnet from natting - route-map vs access-list from Radioactive Frog on 2011-05-16 (Ccielab archives 05/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Tue, 17 May 2011 10:43:14 +1000

Hi dan - thanks.
the example in the link is for non-overload. My example is nat with
overload.

An specific example that I am after i s exactly the same as mentioned in the
below link:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

*ip nat inside source route-map nonat interface FastEthernet0/0 overload*

so you're saying if i replace route-map with just an ACL in the above
example it won't work?

Thanks

On Mon, May 16, 2011 at 2:59 PM, Dan Shechter <danshtr_at_gmail.com> wrote:

> There are some features that require to use route-map.
>
> For example:
>
>
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
>
>
> <http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml>You
> might be able to configure it with ACL, but it wouldn't work.
>
>
> HTH,
> Dan #13685 (RS/Sec/SP)
> The CCIE troubleshooting blog: http://dans-net.com
>
>
>
> On Sun, May 15, 2011 at 4:51 AM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:
>
>> Folks,
>> In below scenario where I am excluding 192.168.1.0/24 from NAT - in what
>> scenario I'd use route-map?
>> Noticed, I am not tweaking any metric or anything.
>>
>> Task# exclude 192.168.1.0/24 from NAT
>>
>> My understanding is both solution will work but easier one is solution#2
>> without route-map. Save time in typing :)
>>
>> what are your thoughts?
>>
>> --------------- Solution#1----------------
>> ip access-list extended NAT
>> deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
>> permit ip any any
>>
>> route-map POLICY-NAT 10
>> match ip address NAT
>>
>> ip nat source route-map POLICY-NAT interface s0/0 overload
>>
>> interface f1/0
>> ip nat inside
>>
>> interface s0/0
>> ip nat outside
>>
>> ----------Solution#2---------------
>> ip access-list extended NAT
>> deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
>> permit ip any any
>>
>> ip nat source list NAT interface s0/0 overload
>>
>> interface f1/0
>> ip nat inside
>>
>> interface s0/0
>> ip nat outside
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 17 2011 - 10:43:14 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART