[c-nsp] Multiple NAT & Rerouting Web Traffic

Ray Davis ray-lists at carpe.net
Thu Sep 9 10:43:06 EDT 2010 

Hi Jan,

Not. I already tried "set interface Dialer3" instead of the next-hop.  :/

Thanks,
Ray

On 8. Sep 2010, at 14:47 Uhr, Jan Gregor wrote:

> Hi,
> 
> glad that first part worked. I would suggest change the PBR route-map to
> "set interface Dialer3". Maybe that helps, maybe not :).
> 
> Best regards,
> 
> Jan
> 
> On 09/07/2010 06:57 PM, Ray Davis wrote:
>> Thanks for the help!
>> 
>> I tried my previous test config again except with this difference...
>> 
>>    ip access-list extended NAT_Exempt
>>    deny tcp any any eq www
>>    deny tcp any any eq 443
>>    deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>>    deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>>    permit ip 192.168.8.0 0.0.0.255 any
>> 
>> If I do a "sh ip nat translations" it looks like http traffic is being NATed correctly:
>> 
>> HTTP Traffic (123.123.123.123 is the VDSL ip address):
>>  tcp 123.123.123.123:14757   192.168.8.1:14757     212.96.133.192:80     212.96.133.192:80
>> 
>> Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)):
>>  tcp 12.34.12.34:50004     192.168.8.115:50004   93.133.195.154:5938   93.133.195.154:5938
>> 
>> But doesn't seem to go out the correct interface.  At least there is never an http connection made.  :/
>> 
>> Cheers,
>> Ray
>> 
>> On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote:
>> 
>>> Hi,
>>> 
>>>> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
>>>> access-list 110 permit tcp any any eq www
>>>> access-list 110 permit tcp any any eq 443
>>>> 
>>>> route-map sdsl permit 10
>>>> match ip address NAT_Exempt
>>>> 
>>>> ip access-list extended NAT_Exempt
>>>> deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>>>> deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>>>> permit ip 192.168.8.0 0.0.0.255 any
>>> 
>>> I guess this is the problem. Try denying things allowed in acl 110 away
>>> from acl NAT_Exempt and see if that helps (be sure that these new denies
>>> are before permit in that acl).
>>> 
>>> Best regards,
>>> 
>>> Jan
>>> 
>> 
> 
>

More information about the cisco-nsp mailing list