Microsoft
Software
Hardware
Network
Question : route-map nonat permit ???
I have a routing problem but before I post the problem itself I've got a series of questions about the configuration.
In the following configuration, what do the last two lines of this four-line set do:
access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129
Full configuration:
Building configuration...
Current configuration : n bytes
!
version n.n
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname larson
!
boot system flash *******
enable password **********
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 12
hash md5
authentication pre-share
crypto isakmp key letmein! address 205.209.38.253
!
!
crypto ipsec transform-set larson esp-des esp-md5-hmac
!
crypto map nolan 12 ipsec-isakmp
set peer 205.209.38.253
set transform-set larson
match address 119
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.98.0.254 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 100
ip address 210.200.56.23 255.255.255.240
no ip redirects
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
crypto map nolan
!
interface Serial0/0.1 point-to-point
ip address 210.110.128.242 255.255.255.252
ip nat outside
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 13 IETF
crypto map nolan
!
ip nat inside source list 100 interface FastEthernet0/0.1 overload
ip nat inside source static tcp 10.98.0.2 2457 210.200.56.22 2457 extendable
ip nat inside source static tcp 10.98.0.1 2457 210.200.56.21 2457 extendable
ip nat inside source static tcp 10.98.0.254 23 210.200.56.19 23 extendable
ip nat outside source static 10.217.250.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.128.241
ip http server
ip pim bidir-enable
!
access-list 100 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 100 permit ip 10.98.0.0 0.0.255.255 any
access-list 119 permit ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 119 deny ip 10.98.0.0 0.0.255.255 any
access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129
!
!
snmp-server community *****
snmp-server community *****
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
!
line con 0
line aux 0
line vty 0 4
password **********
login
!
end
Answer : route-map nonat permit ???
Since you have a lan-lan VPN configured, you don't want the traffic to be natted, so you create an access-list that denies the traffic from your local lan to the remote lan, and permit all others. This access-list is applied to a route-map "nonat" (No NAT) which says that if the traffic matches the access-list #129, then those packets are not natted.
These 4 lines (should) go with this one:
>ip nat inside source list 100 interface FastEthernet0/0.1 overload
Which I would expect to read:
ip nat inside source route-map nonat interface FastEthernet0/0.1 overload
Obviously, since the route-map is not applied those 4 lines are not doing anything at this time.
Instead, you are accomplishing the same thing with access-list 100 that IS applied to the NAT process
Random Solutions
Smart Host Service
Dell Optiplex 755 unresponsive to Wake on LAN
Does the Cisco 2960G Series switches support Layer 3 capability?
Alcatel SpeedTouch USB dsl modem and ps2 connecting
Cisco BBSM, Aironet 1200, ACS
How to verify if the same IP address is being used on another computer???
Cisco PIX addition for extranet connection causes network outage
DNS resolution Windows Internal DNS/External DNS
Root Hints in DNS config
Cisco Antenna - Troubleshooting