[c-nsp] Multiple NAT & Rerouting Web Traffic

[Roger Wiklund]

Check this link out,

http://forums.whirlpool.net.au/archive/1498451

On Tue, Sep 7, 2010 at 6:57 PM, Ray Davis <ray-lists at carpe.net> wrote:
> Thanks for the help!
>
> I tried my previous test config again except with this difference...
>
>    ip access-list extended NAT_Exempt
>    deny tcp any any eq www
>    deny tcp any any eq 443
>    deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>    deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>    permit ip 192.168.8.0 0.0.0.255 any
>
> If I do a "sh ip nat translations" it looks like http traffic is being NATed correctly:
>
> HTTP Traffic (123.123.123.123 is the VDSL ip address):
>  tcp 123.123.123.123:14757   192.168.8.1:14757     212.96.133.192:80     212.96.133.192:80
>
> Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)):
>  tcp 12.34.12.34:50004     192.168.8.115:50004   93.133.195.154:5938   93.133.195.154:5938
>
> But doesn't seem to go out the correct interface.  At least there is never an http connection made.  :/
>
> Cheers,
> Ray
>
> On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote:
>
>> Hi,
>>
>>> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
>>> access-list 110 permit tcp any any eq www
>>> access-list 110 permit tcp any any eq 443
>>>
>>> route-map sdsl permit 10
>>> match ip address NAT_Exempt
>>>
>>> ip access-list extended NAT_Exempt
>>> deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>>> deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>>> permit ip 192.168.8.0 0.0.0.255 any
>>
>> I guess this is the problem. Try denying things allowed in acl 110 away
>> from acl NAT_Exempt and see if that helps (be sure that these new denies
>> are before permit in that acl).
>>
>> Best regards,
>>
>> Jan
>>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>