Route-map vs. access-list.

- A
- AM
  
  Contact options for registered users
posted
18 years ago

Mon, Jul 25, 2005 3:53 PM

Hi all,

till now I always used route-map on NAT rule to avoid translations of traffic directed to the other LAN through a VPN tunnel. But route-map section has only a match rule to an ACL.

I've been applying that method as an external consultant told us but now I would ask you if the same result will be obtained using simply an ACL instead of a route-map.

So below follows the real configuration

ip nat inside source route-map vpn_2hq interface Dialer0 overload .... route-map vpn_2hq permit 10 match ip address 131 .... access-list 131 deny ip 10.134.3.0 0.0.0.255 192.168.31.0 0.0.0.255 access-list 131 permit ip 10.134.3.0 0.0.0.255 any

but should the next one be correct as well?

ip nat inside source list 131 vpn_2hq interface Dialer0 overload .... access-list 131 deny ip 10.134.3.0 0.0.0.255 192.168.31.0 0.0.0.255 access-list 131 permit ip 10.134.3.0 0.0.0.255 any

Alex.

- M
- mjkiefer
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 1, 2005 12:56 AM

As long as there is no action taken on the match, then an ACL should work fine.

I would use: ip nat inside source list 131 interface Dialer0 overload

- P
- paranic
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Aug 1, 2005 11:22 AM

maybe he cant use ip nat inside source list 131 interface Dialer0 overload

because above match ip address 131 on his route-map has a line similar to this route-map vpn_2hq permit 10 match ip address 131 match interface Dialer1

in order to NAT only traffic from dialer 1 and then default route everything to some other dialer or atm interface without NAT ip route 0.0.0.0 0.0.0.0 Dialer2