Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
1
Replies

what will happen if traffic comes at NAT out interface and matches access list statement?

saiyed0186
Level 1
Level 1

‎03-02-2011 10:09 PM - edited ‎03-04-2019 11:37 AM

Hi All,

I have configured a device having config given below :

ip nat pool OUTBOUND 100.170.250.10 100.170.250.10 prefix-length 24
ip nat inside source list 100 pool OUTBOUND overload

access-list 100 deny   ip any 10.238.0.104 0.0.0.7
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip 170.16.0.0 0.15.255.255 any

interface Loopback10
description Management IP Interface
ip address 170.20.255.202 255.255.255.255
no ip redirects
no ip unreachables
ip flow ingress

interface GigabitEthernet0/0
description Customer Facing Interface
ip address 10.238.0.108 255.255.255.248
no ip redirects
no ip unreachables
ip flow ingress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 100
media-type rj45
!
interface Serial1/0
description Private Line PPP - Ckt ID:
mtu 1500
bandwidth 20000
ip address 170.20.0.213 255.255.255.252
no ip unreachables
ip flow ingress
ip nat inside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
serial restart-delay 0

router bgp 59001
no synchronization
bgp router-id 170.20.255.202
bgp log-neighbor-changes
network 10.238.0.104 mask 255.255.255.248
network 170.20.0.212 mask 255.255.255.252
network 170.20.255.202 mask 255.255.255.255
timers bgp 15 45
neighbor 10.238.0.105 remote-as 59002
neighbor 10.238.0.105 update-source Loopback10
neighbor 10.238.0.105 send-community
neighbor 10.238.0.105 advertisement-interval 0
neighbor 10.238.0.105 soft-reconfiguration inbound

So my question is when neighbor router 10.238.0.105 try to make neighborship with this router it will send hello packet containing

SA as 10.238.0.105 and

DA as 10.238.0.108, so whether this router will perform NAT before sending hello packet response to its neighbor router or not ?

Labels:
0 Helpful
1 Reply 1

milan.kulik
Level 10
Level 10

‎03-03-2011 12:13 AM

Hi,

IMHO, no, it will not.

The router would perform NATing only on packets received on the inside interface sent out through the outside interface (plus matching source list 100 in your case).

This condition is not fulfilled, so no NAT would be done for hello packet response to its neighbor.

HTH,

Milan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card