NAT list with DENY


I found a configuration like this on a router and it works, but I do not understand it. There is a NAT list with a deny statement at the beginning. When I look at the NAT translation, all NATs are using the source ip-address of the interface, but this ip-address is denied in the list. So how does this work? I usually would configure the access-list 30 with permit and deny any.

! interface FastEthernet0.99 description myIF encapsulation dot1Q 99 ip address ip nat outside ip virtual-reassembly ! ip nat inside source list 30 interface FastEthernet0.99 overload !

access-list 30 deny access-list 30 permit any

Any ideas?

Thank you.


Reply to
christian maier
Loading thread data ...

It means 'don't NAT this address'. NAT anything matched by a permit in access-list 30. However given that the address resides on the interface with 'ip nat outside' on it I really don't see the point??


Reply to

"christian maier" ha scritto nel messaggio news:46bcb65d$0$2243$


It works as it should. Any source IP addresses (but coming from a "NAT inside" interface are natted (using the IP address configured on fa0.99). Personally I think the first "deny" is superfluous but since I'm very tired right now I could be utterly wrong.

Regards, Gabriele

Reply to
Gabriele Beltrame Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.