06-23-2008 07:15 AM - edited 03-05-2019 11:46 PM
On an External interface :
interface FastEthernet3/0
description $FW_OUTSIDE$$ETH-WAN$
ip address ***.***.***.243 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 100
ids-service-module monitoring
no mop enabled
crypto map cm-cryptomap
We have a NAT statement :
ip nat inside source route-map Staging interface FastEthernet3/0 overload
With a route-map:
route-map Staging permit 10
match ip address 120
And an IP access lilst 120 of :
access-list 120 remark SDM_ACL Category=18
access-list 120 deny ip 10.10.71.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 120 deny ip 10.10.112.0 0.0.15.255 10.10.20.0 0.0.0.255
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.14.0 0.0.0.255
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.15.0 0.0.0.255
access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.72.0 0.0.0.255
access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.72.0 0.0.0.255
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.10.8.0 0.0.3.255
access-list 120 deny ip 10.10.8.0 0.0.3.255 10.10.20.0 0.0.0.255
access-list 120 deny ip 10.10.14.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 120 deny ip 10.10.15.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 120 deny tcp 10.10.72.0 0.0.0.255 any eq smtp log
access-list 120 permit ip 10.10.72.0 0.0.0.255 any
For some reason I cannot access 10.10.72.0 from 10.98.0.0 (via VPN to that interface) as I think it's natting the IP I am tryin to access (10.10.72.1).
How do I stop the natting of 10.98.0.0 when trying to access 10.10.72.0 ?
Solved! Go to Solution.
06-23-2008 12:31 PM
So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?
If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"
just above the last line in the present ACL 120.
Did it work?
06-23-2008 12:32 PM
Nelson
The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255
and make sure that it gets added before the permit statement in the access list.
HTH
Rick
06-23-2008 07:30 AM
Nelson
You have not given us enough information to really understand your problem or to suggest a solution. Where is 10.98.0.0? Where is 10.10.72.0? Does that traffic really go through interface FA3/0? If so is the traffic direction inbound on the interface or outbound on the interface? Perhaps if you supply that information we might be able to suggest a solution.
HTH
Rick
06-23-2008 07:57 AM
06-23-2008 12:31 PM
So 10.98.0.0 is known through the outside interface and 10.10.72.1 is known on the inside interface?
If so I'll take a wild guess and tell you that you need a "access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.0.255"
just above the last line in the present ACL 120.
Did it work?
06-23-2008 12:32 PM
Nelson
The additional information is helpful. While there are still some details that are not clear, I do have a suggestion. Add this to your access list:
access-list 120 deny ip 10.10.72.0 0.0.0.255 10.98.0.0 0.0.255.255
and make sure that it gets added before the permit statement in the access list.
HTH
Rick
06-24-2008 03:08 AM
thanks guys,.
that did it...
06-24-2008 05:54 AM
Nelson
I am glad that we were able to help you find a solution for your problem. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will see a solution that solved the problem.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide