RE: [nsp] ip nat inside -> inside static

• Next message: isamar@isamarmaia.org: "RE: [nsp] How to block Nimda in PIX or router"
• Previous message: kevin graham: "RE: [nsp] How to block Nimda in PIX or router"
• In reply to: Joe Hsieh: "RE: [nsp] ip nat inside -> inside static"
• Next in thread: Gert Doering: "Re: [nsp] ip nat inside -> inside static"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

> Maybe you know this already.
>
> There is a trick to fix this problem. If you use static map PAT instead of
> port translation...
>
> change your access-list to 101(extend)
>
> ip nat inside source static 192.168.0.10 1.1.1.3
> access-list 101 deny ip 192.168.0.0 0.0.0.255 host 1.1.1.3
> access-list 101 permit ip 192.168.0.0 0.0.0.255 any
>
> add a static route if the router does not have a default route:
>
> ip route 1.1.1.3 255.255.255.255 (next-hop-address of "ip nat outside"
> interface)
>
> yes, set the next-hop to upstream

Dunno if I just got lucky w/ 12.2(6), but adding the /32 to nexthop did
the trick quite nicely w/o modifying acl's (...and that's with a tcp-only
translation).

Thanks for the tip.
..kg..

• Next message: isamar@isamarmaia.org: "RE: [nsp] How to block Nimda in PIX or router"
• Previous message: kevin graham: "RE: [nsp] How to block Nimda in PIX or router"
• In reply to: Joe Hsieh: "RE: [nsp] ip nat inside -> inside static"
• Next in thread: Gert Doering: "Re: [nsp] ip nat inside -> inside static"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:29 EDT