[rbak-nsp] NAT Exclude ACL

Rafal golem at mtm-info.pl
Thu Aug 10 16:27:28 EDT 2017 

Hello Michał,

I have it working like this:
 nat policy ip_example_nat_policy
! Default class
  ignore
  inbound-refresh udp
  icmp-notification
! Named classes
  access-group NATACL
   class NAT
    pool ip_example_nat testcontext
    timeout tcp 6000
    endpoint-independent filtering udp
    inbound-refresh udp
    icmp-notification
   class NATLESS
    ignore
    inbound-refresh udp
    icmp-notification


 policy access-list NATACL
  seq 15 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.1 class NATLESS
  seq 18 permit ip 192.168.0.0 0.0.255.255 host 11.0.0.1 class NATLESS
  seq 20 permit ip 192.168.0.0 0.0.255.255 class NAT


Rafał



Thursday, August 10, 2017, 2:36:57 PM, you wrote:

> Hi , i looking for method how to exclude some class from NAT (for ex 
> 10.0.0.0/8)

> I have this configuration but Redback drop packet belongs to 10.0.0.0/8

> Where i make a mistake ?


> CLIPS]Dareek(config-policy-nat)#show configuration
> Building configuration...

> Current configuration:
> !
> context CLIPS
> !
>   no ip domain-lookup
> !
>   nat logging-profile nat-logging-profile
>    export-version v9
>    maximum ip-packet-size 1400
>    source 10.3.37.179 port 37777
> !
> !
>   ip nat pool nat-pool-1 napt paired-mode logging
>    paired-mode subscriber over-subscription 64 port-limit 2000
>    logging-profile nat-logging-profile
>    address 185.102.191.242/32 port-block 0 to 15
> !
>   ip nat pool natpool napt multibind
> !
>   nat policy nat-policy enhanced
>    connections tcp maximum 1000
>    connections udp maximum 1000
> ! Default class
>    pool nat-pool-1 CLIPS
>    endpoint-independent filtering tcp
>    endpoint-independent filtering udp
>    inbound-refresh udp
>    icmp-notification
> ! Named classes
>    access-group NAT-ACL
>     class CLASS-IGN
>      ignore
>      inbound-refresh udp
>      icmp-notification
> !
>   nat policy natpolicy
> ! Default class
>    pool natpool clips
>    inbound-refresh udp
>    icmp-notification
> !
>   interface Biuro
> !
>   interface Radius loopback
>    ip address 185.102.191.243/32
> !
>   interface TEST
>    ip address 80.238.114.186/30
> !
>   interface To-Cisco-Pol
>    ip address 10.29.0.1/30
> !
>   interface ZEW multibind
>    ip address 185.102.191.245/30
>    dhcp server interface
> !
>   interface clips multibind
>    ip address 10.10.10.1/24
>    dhcp server interface
> !
>   interface clips-nat multibind
>    ip address 172.25.36.1/24
>    dhcp server interface
>   logging console
>   logging syslog 10.1.10.15 facility local7
> !
>   policy access-list NAT-ACL
>    seq 10 permit ip any 10.0.0.0 0.255.255.255 class CLASS-IGN
> !
>   aaa authentication administrator local
>   aaa authentication administrator maximum sessions 1
>   aaa authentication subscriber radius
> !
>   radius server 10.3.14.24 encrypted-key 29301649C0017C21
> !
>   subscriber default
>     dhcp max-addrs 5
> !
>   ip route 0.0.0.0/0 context BGP
>   ip route 10.0.0.0/8 10.29.0.2
> !
>   dhcp server policy
>     subnet 10.10.10.0/24
>       range 10.10.10.100 10.10.10.200
>       option router 10.10.10.1
>       option domain-name-server 8.8.8.8
>     subnet 172.25.36.0/24
>       range 172.25.36.100 172.25.36.200
>       option router 172.25.36.1
>       option domain-name-server 8.8.8.8
>     subnet 185.102.191.244/30
>       range 185.102.191.245 185.102.191.246
>       option router 185.102.191.245
>       option domain-name-server 8.8.8.8
> !
> !
> !
> end




-- 
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl

More information about the redback-nsp mailing list