Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

route-map nonat permit 10 ?

Posted on 2003-12-01
4
Medium Priority
?
3,160 Views
Last Modified: 2007-12-19
What is this command doing?

route-map nonat permit 10
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850672
Hi gateguard,
See Irmoores comments here http://oldlook.experts-exchange.com/Hardware/Routers/Q_20705266.html

PeteL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850687
gateguard,
! *  Use a route map to define which traffic from the private

! *  network should be included in the NAT process:

 

route-map nonat permit 10

 match ip address 150

http://www.siliconvalleyccie.com/cisco-hn/vpn-cisco.htm
PL
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 1200 total points
ID: 9852664
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9852667
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Make the most of your online learning experience.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question