[c-nsp] Pros/cons of ip nat "list" vs "route-map"

Stephen Wilcox steve.wilcox at packetrade.com
Mon Jul 30 15:00:33 EDT 2007 

Hi Tuc,
 can you provide a basic diagram, I'm confused reading the below. Also, what outside nat translations do you have that you are referring to....

Steve

On Mon, Jul 30, 2007 at 02:36:23PM -0400, Tuc at T-B-O-H.NET wrote:
> Hi,
> 
> 	Recently I've gotten more into doing NAT at sites. I've noticed
> that it seems that when customers use the GUI, it does something like :
> 
> ip nat inside source list 2 interface Serial0/1/0 overload
> access-list 2 remark SDM_ACL Category=18
> access-list 2 permit 192.168.25.0 0.0.0.255
> access-list 2 permit 192.168.50.0 0.0.0.255
> access-list 2 permit 192.168.75.0 0.0.0.255
> access-list 2 permit 10.0.0.0 0.0.0.255
> 
> 
> 	I set up a router at my own site, using an example from another
> site (Just because of dual transits, ip sla monitoring, tracking, etc)
> and it used :
> 
> ip nat inside source route-map HUGHES interface Ethernet1/0 overload
> ip nat inside source route-map SEABREEZE interface Ethernet0/0 overload
> 
> route-map HUGHES permit 10
>  match interface Ethernet1/0
> !
> route-map SEABREEZE permit 10
>  match interface Ethernet0/0
> 
> 
> 	Is there one that is generally "more preferred" over the other?
> Are there advantages of one over the other? 
> 
> 	One of the things I can't seem to do on my config is telnet
> into the "ip nat outside" ports on the router. If I do, I get an entry
> in the NAT table for :
> 
> Pro Inside global      Inside local       Outside local      Outside global
> tcp 192.168.75.49:3    192.168.75.49:23   208.45.247.233:25922 208.45.247.233:25922
> 
> 	so it looks like its being subject to NAT even though I'm trying to reach
> the 192.168.75.49 locally (And yea, I can do it, since I'm trying to telnet from
> a "directly attached" interface on the opposing router configured as :
> 
> interface GigabitEthernet0/0
>  description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
>  ip address 10.0.0.1 255.255.255.0 secondary
>  ip address 192.168.75.1 255.255.255.0 secondary
>  ip address 192.168.50.1 255.255.255.0 secondary
>  ip address 208.45.247.233 255.255.255.248
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip nat inside
>  ip virtual-reassembly
>  ip route-cache flow
>  duplex auto
>  speed auto
>  no mop enabled
> 
> 	(Though, I *WISH* it would try to telnet from the 75.1, which is in the same
> subnet as my 75.49!)
> 
> 			Thanks, Tuc
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list