[c-nsp] Bridging + Routing + NAT

Christopher Gatlin gatlin007 at gmail.com
Sun Aug 29 18:54:23 EDT 2010 

Change ACL 101 to reflect the following and I think you'd be good to go.

access-list 101 deny ip 172.22.22.0 0.0.0.255 173.50.165.0 0.0.0.255
access-list 101 deny ip 173.50.165.0 0.0.0.255 172.22.22.0 0.0.0.255
access-list 101 permit ip any any


Chris


On Sun, Aug 29, 2010 at 7:44 AM, Sridhar Ayengar <ploopster at gmail.com>wrote:

>
> The machines on the bridged interfaces can talk to the outside world, the
> machines on the private network can talk to the outside world with NAT, but
> the machines on the bridged network can't talk to the machines on the
> private network.  What am I doing wrong with the following configuration?
>
> Peace...  Sridhar
>
> bridge irb
> !
> !
> interface FastEthernet2/0/0
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip virtual-reassembly
>  no ip mroute-cache
>  half-duplex
>  no cdp enable
>  no mop enabled
>  bridge-group 1
> !
> interface FastEthernet2/1/0
>  ip address 172.22.22.1 255.255.255.0
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip nat inside
>  ip virtual-reassembly
>  ip policy route-map bypass-out
>  full-duplex
>  no cdp enable
>  no mop enabled
> !
> interface FastEthernet3/0/0
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ip virtual-reassembly
>  no ip mroute-cache
>  half-duplex
>  no cdp enable
>  no mop enabled
>  bridge-group 1
> !
> interface BVI1
>  ip address 173.50.165.26 255.255.255.0
>  ip nat outside
>  ip virtual-reassembly
>  ip policy route-map bypass-in
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 173.50.165.1
> !
> ip nat translation max-entries 300
> ip nat inside source route-map nat-traversal interface BVI1 overload
> !
> access-list 101 deny   ip 172.22.22.0 0.0.0.255 173.50.165.24 0.0.0.7
> access-list 101 deny   ip 173.50.165.24 0.0.0.7 172.22.22.0 0.0.0.255
> access-list 101 permit ip 172.22.22.0 0.0.0.255 any
> access-list 101 deny   ip any any
> access-list 102 permit ip 173.50.165.24 0.0.0.7 172.22.22.0 0.0.0.255
> access-list 102 deny   ip any any
> access-list 103 permit ip 172.22.22.0 0.0.0.255 173.50.165.24 0.0.0.7
> access-list 103 deny   ip any any
> !
> route-map bypass-in permit 10
>  match ip address 102
>  set interface FastEthernet2/1/0
> !
> route-map nat-traversal permit 10
>  match ip address 101
> !
> route-map bypass-out permit 10
>  match ip address 103
>  set interface BVI1
> !
> !
> !
> !
> control-plane
> !
> bridge 1 protocol ieee
> bridge 1 route ip
> no bridge 1 bridge appletalk
> no bridge 1 bridge clns
> no bridge 1 bridge decnet
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list