[c-nsp] Don't NAT a Subset of Traffic

Ziv Leyes zivl at gilat.net
Sun Aug 22 05:55:26 EDT 2010 

Where do you want to pass the traffic without NAT? to your own public network? What else do you have connected there? Some server?
I can suggest you either create a NAT pool  of a single public IP from your range, and  let it access the other public IPs in the same range.
OTOH, if all your devices are on the same network, why don't you just access them via the local IPs instead the public ones?



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar Ayengar
Sent: Sunday, August 22, 2010 12:29 PM
To: Cisco NSPs
Subject: [c-nsp] Don't NAT a Subset of Traffic


I have a Verizon FiOS connection with 5 IP addresses attached to my 7505.

So because it's excluded from the access-list, traffic from my private 
network 172.16.16.0 to my public IP addresses is not NATed.  I still 
can't figure out how to pass this traffic without NATing it.  If I 
remove the deny line from the access-list, the traffic is correctly 
passed NATed.  Anyone have any ideas for me?

Thanks.

Peace...  Sridhar

A snippet of my configuration (with irrelevant bits removed) follows:

bridge irb
!
!
interface FastEthernet2/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  no ip mroute-cache
  half-duplex
  no cdp enable
  no mop enabled
  bridge-group 1
!
interface FastEthernet2/1/0
  ip address 172.16.16.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  full-duplex
  no cdp enable
  no mop enabled
!
interface FastEthernet3/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip virtual-reassembly
  no ip mroute-cache
  half-duplex
  no cdp enable
  no mop enabled
  bridge-group 1
!
interface BVI1
  ip address 173.50.165.26 255.255.255.0
  ip nat outside
  ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.50.165.1
!
ip nat translation max-entries 300
ip nat inside source list 101 interface BVI1 overload
!
access-list 101 deny   ip 172.16.16.0 0.0.0.255 173.50.165.24 0.0.0.7
access-list 101 permit ip 172.16.16.0 0.0.0.255 any
access-list 101 deny   ip any any

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list