We help IT Professionals succeed at work.

Exclude subnet from NAT

benhanson asked
Last Modified: 2013-12-14
I am trying to figure out how to exclude traffic from NAT and ppp encapsulation.  I have a DSL modem that is in bridge mode, so normally I don't need any connectivity to it.  A cisco router is acting a pppoe client and routing for LAN.  Even though the dsl modem is in bridge mode, it still has an IP address.  Once I addressed the WAN interface(which is hooked up to the dsl modem), I could telnet to the dsl modem from router.  However I cannot telnet to it from the LAN side.  Is there a way to have traffic with destination subnet of the WAN interface no go over the ppp link?
ip source-route
ip cef
interface FastEthernet4
 description $ETH-WAN$
 ip address
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
interface Vlan1
 ip address
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
interface Dialer1
 description PPPOE
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp chap hostname xxxxxx
 ppp chap password 7 xxxxxx
 ppp pap sent-username xxxxxx password 7 xxxxxx
ip forward-protocol nd
ip route Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source Vlan1
ip flow-export version 9
ip nat inside source list 1 interface Dialer1 overload
ip access-list extended WAN_Outbound
 remark SDM_ACL Category=1
 permit ip any any
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 23 permit
access-list 23 permit
dialer-list 1 protocol ip permit
no cdp run

Open in new window

Watch Question

Network Architect
This one is on us!
(Get your first solution completely free - no credit card required)


Still no go.  Regular traffic is still flowing with the changes, but still can't get to the 192.168.1.x subnet from the LAN side.  Are the 2 route-map entries supposed to be identical?
Jody LemoineNetwork Architect

Whoops.  Second one should match FastEthernet4.  Good catch.


That did the trick.  Thanks for the help!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.