[rbak-nsp] NAT Exclude ACL

Michał Przywuski mprzywuski at jmdi.pl
Thu Aug 10 08:36:57 EDT 2017 

Hi , i looking for method how to exclude some class from NAT (for ex 
10.0.0.0/8)

I have this configuration but Redback drop packet belongs to 10.0.0.0/8

Where i make a mistake ?


CLIPS]Dareek(config-policy-nat)#show configuration
Building configuration...

Current configuration:
!
context CLIPS
!
  no ip domain-lookup
!
  nat logging-profile nat-logging-profile
   export-version v9
   maximum ip-packet-size 1400
   source 10.3.37.179 port 37777
!
!
  ip nat pool nat-pool-1 napt paired-mode logging
   paired-mode subscriber over-subscription 64 port-limit 2000
   logging-profile nat-logging-profile
   address 185.102.191.242/32 port-block 0 to 15
!
  ip nat pool natpool napt multibind
!
  nat policy nat-policy enhanced
   connections tcp maximum 1000
   connections udp maximum 1000
! Default class
   pool nat-pool-1 CLIPS
   endpoint-independent filtering tcp
   endpoint-independent filtering udp
   inbound-refresh udp
   icmp-notification
! Named classes
   access-group NAT-ACL
    class CLASS-IGN
     ignore
     inbound-refresh udp
     icmp-notification
!
  nat policy natpolicy
! Default class
   pool natpool clips
   inbound-refresh udp
   icmp-notification
!
  interface Biuro
!
  interface Radius loopback
   ip address 185.102.191.243/32
!
  interface TEST
   ip address 80.238.114.186/30
!
  interface To-Cisco-Pol
   ip address 10.29.0.1/30
!
  interface ZEW multibind
   ip address 185.102.191.245/30
   dhcp server interface
!
  interface clips multibind
   ip address 10.10.10.1/24
   dhcp server interface
!
  interface clips-nat multibind
   ip address 172.25.36.1/24
   dhcp server interface
  logging console
  logging syslog 10.1.10.15 facility local7
!
  policy access-list NAT-ACL
   seq 10 permit ip any 10.0.0.0 0.255.255.255 class CLASS-IGN
!
  aaa authentication administrator local
  aaa authentication administrator maximum sessions 1
  aaa authentication subscriber radius
!
  radius server 10.3.14.24 encrypted-key 29301649C0017C21
!
  subscriber default
    dhcp max-addrs 5
!
  ip route 0.0.0.0/0 context BGP
  ip route 10.0.0.0/8 10.29.0.2
!
  dhcp server policy
    subnet 10.10.10.0/24
      range 10.10.10.100 10.10.10.200
      option router 10.10.10.1
      option domain-name-server 8.8.8.8
    subnet 172.25.36.0/24
      range 172.25.36.100 172.25.36.200
      option router 172.25.36.1
      option domain-name-server 8.8.8.8
    subnet 185.102.191.244/30
      range 185.102.191.245 185.102.191.246
      option router 185.102.191.245
      option domain-name-server 8.8.8.8
!
!
!
end

-- 

Michał Przywuski
Administrator sieci.

More information about the redback-nsp mailing list