[c-nsp] Multiple NAT & Rerouting Web Traffic

Ray Davis ray-lists at carpe.net
Thu Sep 9 11:26:40 EDT 2010


That example is matching on IP address (rather than protocol), but I see some differences in what I've been doing.  Will try it as soon as I get a chance.

Thanks,
Ray

On 7. Sep 2010, at 22:18 Uhr, Roger Wiklund wrote:

> Check this link out,
> 
> http://forums.whirlpool.net.au/archive/1498451
> 
> On Tue, Sep 7, 2010 at 6:57 PM, Ray Davis <ray-lists at carpe.net> wrote:
>> Thanks for the help!
>> 
>> I tried my previous test config again except with this difference...
>> 
>>    ip access-list extended NAT_Exempt
>>    deny tcp any any eq www
>>    deny tcp any any eq 443
>>    deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>>    deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>>    permit ip 192.168.8.0 0.0.0.255 any
>> 
>> If I do a "sh ip nat translations" it looks like http traffic is being NATed correctly:
>> 
>> HTTP Traffic (123.123.123.123 is the VDSL ip address):
>>  tcp 123.123.123.123:14757   192.168.8.1:14757     212.96.133.192:80     212.96.133.192:80
>> 
>> Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)):
>>  tcp 12.34.12.34:50004     192.168.8.115:50004   93.133.195.154:5938   93.133.195.154:5938
>> 
>> But doesn't seem to go out the correct interface.  At least there is never an http connection made.  :/
>> 
>> Cheers,
>> Ray
>> 
>> On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote:
>> 
>>> Hi,
>>> 
>>>> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
>>>> access-list 110 permit tcp any any eq www
>>>> access-list 110 permit tcp any any eq 443
>>>> 
>>>> route-map sdsl permit 10
>>>> match ip address NAT_Exempt
>>>> 
>>>> ip access-list extended NAT_Exempt
>>>> deny   ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
>>>> deny   ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
>>>> permit ip 192.168.8.0 0.0.0.255 any
>>> 
>>> I guess this is the problem. Try denying things allowed in acl 110 away
>>> from acl NAT_Exempt and see if that helps (be sure that these new denies
>>> are before permit in that acl).
>>> 
>>> Best regards,
>>> 
>>> Jan
>>> 
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 




More information about the cisco-nsp mailing list