Microsoft
Software
Hardware
Network
Question : route-map nonat permit ???
I have a routing problem but before I post the problem itself I've got a series of questions about the configuration.
In the following configuration, what do the last two lines of this four-line set do:
access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129
Full configuration:
Building configuration...
Current configuration : n bytes
!
version n.n
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname larson
!
boot system flash *******
enable password **********
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 12
hash md5
authentication pre-share
crypto isakmp key letmein! address 205.209.38.253
!
!
crypto ipsec transform-set larson esp-des esp-md5-hmac
!
crypto map nolan 12 ipsec-isakmp
set peer 205.209.38.253
set transform-set larson
match address 119
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.98.0.254 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 100
ip address 210.200.56.23 255.255.255.240
no ip redirects
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
crypto map nolan
!
interface Serial0/0.1 point-to-point
ip address 210.110.128.242 255.255.255.252
ip nat outside
no ip route-cache
no ip mroute-cache
frame-relay interface-dlci 13 IETF
crypto map nolan
!
ip nat inside source list 100 interface FastEthernet0/0.1 overload
ip nat inside source static tcp 10.98.0.2 2457 210.200.56.22 2457 extendable
ip nat inside source static tcp 10.98.0.1 2457 210.200.56.21 2457 extendable
ip nat inside source static tcp 10.98.0.254 23 210.200.56.19 23 extendable
ip nat outside source static 10.217.250.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 210.110.128.241
ip http server
ip pim bidir-enable
!
access-list 100 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 100 permit ip 10.98.0.0 0.0.255.255 any
access-list 119 permit ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 119 deny ip 10.98.0.0 0.0.255.255 any
access-list 129 deny ip 10.98.0.0 0.0.255.255 10.217.0.0 0.0.255.255
access-list 129 permit ip 10.98.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 129
!
!
snmp-server community *****
snmp-server community *****
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
!
line con 0
line aux 0
line vty 0 4
password **********
login
!
end
Answer : route-map nonat permit ???
Since you have a lan-lan VPN configured, you don't want the traffic to be natted, so you create an access-list that denies the traffic from your local lan to the remote lan, and permit all others. This access-list is applied to a route-map "nonat" (No NAT) which says that if the traffic matches the access-list #129, then those packets are not natted.
These 4 lines (should) go with this one:
>ip nat inside source list 100 interface FastEthernet0/0.1 overload
Which I would expect to read:
ip nat inside source route-map nonat interface FastEthernet0/0.1 overload
Obviously, since the route-map is not applied those 4 lines are not doing anything at this time.
Instead, you are accomplishing the same thing with access-list 100 that IS applied to the NAT process
Random Solutions
How to setup a printer that routes, not to another printer, but to an IP and Port#?
Weird MAPI readout
Users taking long time to log in
permission to use this network resource
PCs randomly unable to resolve server names
Sporadic LAN Disconnects
The system is short on memory and operations may fail netware 4.11
Restricting Bandwidth Usage on a Home Network
Manually testing AUTH NTLM via SMTP
Exchange Server Que is fulle - SMTP service not stopping