[c-nsp] Multiple NAT & Rerouting Web Traffic
Ray Davis
ray-lists at carpe.net
Tue Sep 7 12:57:13 EDT 2010
Thanks for the help!
I tried my previous test config again except with this difference...
ip access-list extended NAT_Exempt
deny tcp any any eq www
deny tcp any any eq 443
deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 any
If I do a "sh ip nat translations" it looks like http traffic is being NATed correctly:
HTTP Traffic (123.123.123.123 is the VDSL ip address):
tcp 123.123.123.123:14757 192.168.8.1:14757 212.96.133.192:80 212.96.133.192:80
Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)):
tcp 12.34.12.34:50004 192.168.8.115:50004 93.133.195.154:5938 93.133.195.154:5938
But doesn't seem to go out the correct interface. At least there is never an http connection made. :/
Cheers,
Ray
On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote:
> Hi,
>
>> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
>> access-list 110 permit tcp any any eq www
>> access-list 110 permit tcp any any eq 443
>>
>> route-map sdsl permit 10
>> match ip address NAT_Exempt
>>
>> ip access-list extended NAT_Exempt
>> deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>> deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>> permit ip 192.168.8.0 0.0.0.255 any
>
> I guess this is the problem. Try denying things allowed in acl 110 away
> from acl NAT_Exempt and see if that helps (be sure that these new denies
> are before permit in that acl).
>
> Best regards,
>
> Jan
>
More information about the cisco-nsp
mailing list