[c-nsp] NAT Question
Tom Storey
tom at snnap.net
Fri Jun 29 10:56:45 EDT 2007
IIRC NAT occurs after routing, therefore it traffic is simply routed between
inside interfaces, it should never be NATed.
You could, however, always do something like this in the ACL which decides
what traffic is NATed:
ip nat inside source list 100 interface WAN overload
!
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
where 192.168.0.0/16 encapsulates your private networks, and 10.0.0.0/24 is
your DMZ - for example.
Tom
----- Original Message -----
From: "Gert Doering" <gert at greenie.muc.de>
To: "Sridhar Ayengar" <ploopster at gmail.com>
Cc: "Cisco NSPs" <cisco-nsp at puck.nether.net>
Sent: Friday, June 29, 2007 6:52 PM
Subject: Re: [c-nsp] NAT Question
> Hi,
>
> On Fri, Jun 29, 2007 at 05:06:42AM -0400, Sridhar Ayengar wrote:
> > What I can't figure out is how to configure the network for the servers.
>
> Make them "neither inside nor outside" - then packets will never be NATted
> coming from this interface, or going towards it.
>
> This is the cool thing about the classic IOS NAT - you can do things like
this.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list