07-04-2021 10:24 PM
interface FastEthernet0/0
ip address 10.1.10.1 255.255.0.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.3.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat pool internet 10.1.50.50 10.1.50.50 netmask 255.255.0.0
ip nat inside source list 2 pool internet overload
ip classless
!
ip flow-export version 9
!
!
access-list2 deny 10.3.3.10 0.0.0.0
access-list 2 permit 10.3.3.0 0.0.255.255
07-05-2021 12:43 AM
Hello
Are you saying host 10.3.3.10 ist still being NATT'ed, Also I dont see the wan interface having 10.1.50.x assinged to it so does it reside with your router and is it routable?
sh ip nat translations *
sh ip int brief
sh ip route
07-05-2021 04:22 AM
sorry ip nat would be 10.1.10.1 which is wan interface.
want to exclude one address
first question is will this work ?
07-05-2021 06:06 AM
You looking to No NAT for IP 10.3.3.10 - should as below.
access-list 2 deny ip 10.3.3.10
07-05-2021 09:09 AM
The original poster asks if this should work. I believe that if correctly configured that it should work and the single host should not be translated but other hosts in that subnet should be translated.
@paul driver asks about the address used for the nat pool. Since FA0/0 is configured as 10.1.10.1/16 then the nat pool of 10.1.50.50 is in the subnet of the outside interface. So yes it is routable.
@balaji.bandi suggests an alternative syntax for the deny statement. I would think that either syntax should work. the mask of 0.0.0.0 is specifying a host address and is equivalent to the statement with no mask specified. Note that the access list needs the second statement which permits the subnet.
I notice one detail in the partial config in the original post
access-list2 deny 10.3.3.10 0.0.0.0
is missing a space between list and 2. If this is something that was used for cut and paste to create the running config then the access list in running config would not have the deny and would have only the permit. Perhaps the output of show access-list would clarify what is in running config.
07-05-2021 12:37 PM
Hello
yes the deny ace in the access-list should work
now that you’ve confirmed the wan address is viable as a /16 subnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide