Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Only Nat specific traffic

Status
Not open for further replies.
CPaul123

CPaul123

IS-IT--Management
Apr 18, 2002
94
0
0
US
I am currently NATing all outbound traffic behind my Multilink123 interface. However when I try to access an internal device the addresses are still being NATed. How can I create an ACL not to NAT my internal traffic?

Here is a copy of my config:
ip nat inside source list 98 interface Multilink123 overload
ip nat inside source static udp 192.168.1.10 161 interface Multilink123 10161

access-list 98 permit 192.168.1.0 0.0.0.255
access-list 98 permit 10.41.4.0 0.0.0.255
access-list 98 remark NAT ACL for IP Phones

Any help would be greatly appreciated.
 
Sort by date Sort by votes
First, ditch the acl and recreate an extended acl. Then permit the NAT addresses and simply deny the no-nat addresses...

NAT=192.168.1.0/25
NO-NAT=192.168.1.128/25

access-list 101 deny ip any 192.168.1.128 0.0.0.128
access-list 101 permit ip 192.168.1.0 0.0.0.255

ip nat inside source list 101 int multilink123 over

OR

you can make a route map...

route-map nonat permit 1
match address 101

and the NAT statement...

ip nat inside source route-map nonat int multilink123 over

Either way it works. I use the route map myself to deny nat to vpn addresses and permit the rest of the subnet since in my setup, the vpn pool exists in the LAN subnet. Easier this way in a router.

Burt
 
Upvote 0 Downvote
Sorry---the first statement needs to be

access-list 101 deny ip any 192.168.1.128 0.0.0.127

the wildcard mask was wrong...

Burt
 
Upvote 0 Downvote
CRAP! So is the second one!

0.0.0.127 instead of 0.0.0.255, but since the deny comes first, the second will only permit .1-.126 anyway...

Burt
 
Upvote 0 Downvote
These NATs are for our VOIP phones. 10.41.4.5 is one of the phones. This phone needs to be NATd in order for it to work however in order to connect to our NTP server it needs to keep its original address.
 
Upvote 0 Downvote
CPaul, what model is your router?? What modules are installed in it?? Can you post your entire scrubbed config?? Are you using hosted VoIP services??

Burt, you kind of remind me of Tommy Boy lol...don't ask me why, but you do...of course it's a compliment

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
We are using a 2851 and using a VzB VOIP solution. In our other 8 centers we have a firewall performing the NAT but this was the first center to go live so we did the NAT on the router.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
42
quazimotto
quazimotto
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
82
Mogles49
Mogles49
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
38
acabezas2014
acabezas2014
rejackson
  • Locked
  • Question
Traffic shaping - how much memory is required
Replies
0
Views
35
rejackson
rejackson
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
44
darktriad
darktriad

Part and Inventory Search

Sponsor

Back
Top