Solved

route-map nonat permit 10 ?

Posted on 2003-12-01
4
2,986 Views
Last Modified: 2007-12-19
What is this command doing?

route-map nonat permit 10
0
Comment
Question by:gateguard
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hi gateguard,
See Irmoores comments here http://oldlook.experts-exchange.com/Hardware/Routers/Q_20705266.html

PeteL
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
gateguard,
! *  Use a route map to define which traffic from the private

! *  network should be included in the NAT process:

 

route-map nonat permit 10

 match ip address 150

http://www.siliconvalleyccie.com/cisco-hn/vpn-cisco.htm
PL
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 300 total points
Comment Utility
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0
 
LVL 7

Expert Comment

by:Robing66066
Comment Utility
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now