NAT list with DENY

- C
- christian maier
  
  Contact options for registered users
posted
16 years ago

Fri, Aug 10, 2007 7:02 PM

Hi!

I found a configuration like this on a router and it works, but I do not understand it. There is a NAT list with a deny statement at the beginning. When I look at the NAT translation, all NATs are using the source ip-address 192.168.2.111 of the interface, but this ip-address is denied in the list. So how does this work? I usually would configure the access-list 30 with permit 192.168.2.111 and deny any.

! interface FastEthernet0.99 description myIF encapsulation dot1Q 99 ip address 192.168.2.111 255.255.255.0 ip nat outside ip virtual-reassembly ! ip nat inside source list 30 interface FastEthernet0.99 overload !

access-list 30 deny 192.168.2.111 access-list 30 permit any

Any ideas?

Thank you.

Christian

- C
- Chris
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Aug 10, 2007 7:13 PM

It means 'don't NAT this address'. NAT anything matched by a permit in access-list 30. However given that the address resides on the interface with 'ip nat outside' on it I really don't see the point??

Chris.

- G
- Gabriele Beltrame
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Aug 10, 2007 7:18 PM

"christian maier" ha scritto nel messaggio news:46bcb65d$0$2243$ snipped-for-privacy@newsreader01.highway.telekom.at...

Hi,

It works as it should. Any source IP addresses (but 192.168.2.111) coming from a "NAT inside" interface are natted (using the IP address configured on fa0.99). Personally I think the first "deny" is superfluous but since I'm very tired right now I could be utterly wrong.

Regards, Gabriele