Solved

route-map nonat permit 10 ?

Posted on 2003-12-01
4
3,034 Views
Last Modified: 2007-12-19
What is this command doing?

route-map nonat permit 10
0
Comment
Question by:gateguard
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850672
Hi gateguard,
See Irmoores comments here http://oldlook.experts-exchange.com/Hardware/Routers/Q_20705266.html

PeteL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9850687
gateguard,
! *  Use a route map to define which traffic from the private

! *  network should be included in the NAT process:

 

route-map nonat permit 10

 match ip address 150

http://www.siliconvalleyccie.com/cisco-hn/vpn-cisco.htm
PL
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 300 total points
ID: 9852664
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9852667
That looks like a line in a VPN router config.  If so, there should be a corresponding line that says something like '
ip nat inside source route-map nonat interface Ethernet0 overload '

Basically, it differentiates VPN 'interesting traffic' from traffic bound for the Internet. As Pete shows, it should be followed by a match ip address line that you can line up with an access list line (such as 'access-list 150 permit ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255').  Whatever is in the access list is enacted on the traffic heading to the Internet.

So, if you had this in your config:

ip nat inside source route-map nonat interface Ethernet0 overload
route-map nonat permit 10
   match ip address 150

access-list 150 deny   ip 10.10.130.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 150 permit ip 10.10.130.0 0.0.0.255 any

All traffic from 10.10.130.0 destined for 10.10.0.0 would be denied access to the Internet.
All traffic from 10.10.130.0 destined for anywhere else would be allowed out to the Internet.  (And NATted.)

I *believe* that the 10 reference speaks to the number you used for your crypto isakmp policy, but I'm not sure.
 

0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ssh setup on Cisco swith 11 65
Map local drive to folder for all rdp users 7 40
How to Create Separate Guest WiFi VLAN on Netgear R8000 19 51
QoS for Voip 7 36
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question