[f-nsp] NAT / routing /IP fwd issue

elliot moore elliot at devnull.org.uk
Tue Dec 7 08:21:35 EST 2004


Thank you very much
That did the trick!


ip nat pool MYPOOL abc.efg.hij.10  abc.efg.hij.10 netmask 
255.255.255.224
ip nat inside source list 100 pool MYPOOL overload

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 10.0.0.0 0.0.0.255 any


ells..
/me pats his Foundry!




On 6 Dec 2004, at 21:24, Gerlof.Dijk wrote:

>
> You have to define a extended ACL
>
> ip nat inside source list 100 pool Nat-Pool overload
> ip nat pool Nat-Pool a.b.c.x a.b.c.x netmask 255.255.255.224
>
> access-list 100 deny 192.168.0.0/24 10.0.0.0/24
> access-list 100 deny 10.0.0.0/24 192.168.0.0/24
> access-list 100 permit 192.168.0.0/24 any
> access-list 100 deny 10.0.0.0/24 any
>
> BTW: you can better use a NAT pool instead of an Static NAT address 
> because
> static NAT is bidirectional.
>
>
>
> -----Oorspronkelijk bericht-----
> Van: foundry-nsp-bounces at puck.nether.net
> [mailto:foundry-nsp-bounces at puck.nether.net] Namens elliot moore
> Verzonden: maandag 6 december 2004 18:37
> Aan: foundry-nsp at puck.nether.net
> Onderwerp: [f-nsp] NAT / routing /IP fwd issue
>
> Hello!
> I have an 8port ServerIron XL  (Forwarding Traffic to/from multiple 
> sub-nets
> In separate broadcast domains)
>
> (For this email, I substitute my real ip range with aa.bb.cc.0/27)
>
> Setup
> ====
> vlan1 - public IPs   aa.bb.cc.0/27 	- ve1
> vlan2 - private IPs  10.0.0.0/24		- ve2
> vlan3 - private IPs   192.168.0.0/24 	- ve3
> The server-iron is the default gateway for hosts on both private 
> networks
>
> it load-balances traffic from 10.0.0.0/24 to 192.168.0.0/24 And
> aa.bb.cc.0/27 -> 10.0.0.0/24 And aa.bb.cc.0/27 -> 192.168.0.0/24
>
>
> Problem
> =======
> I NAT a host 192.168.0.15, to a public IP, so it can have Internet 
> access.
>
> My problem is that the server-iron also NATs 192.168.0.15 when it 
> connects
> with 10.0.0.0 network. Resulting in a source address of aa.bb.cc.10 
> The same
> happens if I give a public host NAT mapping to a host in the 10.0.0.0
> network, If it then connects with a host in the 192.168.0.0 network it 
> is
> also natted with a public address.
>
> Is there I can configure the server-iron to only NAT for access to 
> 0.0.0.0
> (Internet access) and not 10.0.0.0/192.168.0.0
>
>
> Thanks in advance!
> ells..
>
>
>
>
> helpful config extracts ?
> =================
>
> SW: Version 07.3.03T12
>
> #sh ip route
>      Destination      	 NetMask           	Gateway           Port
> Cost
>    Type
> 1     10.0.0.0          	255.255.255.0     	0.0.0.0
> Ve 2   1
>       D
> 2     aa.bb.cc.0     	255.255.255.224   	0.0.0.0           	Ve 1
> 1
>    D
> 3     192.168.0.0       	255.255.255.0     	0.0.0.0
> Ve 3   1
>       D
> 4     0.0.0.0           	0.0.0.0           		aa.bb.cc.1
> Ve 1   1
>      S
>
> ip forward
> ip address 192.168.0.254 255.255.255.0
> ip nat inside
> ip nat  inside source static 192.168.0.15 aa.bb.cc.10
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>




More information about the foundry-nsp mailing list