4 Replies Latest reply on Nov 23, 2015 11:17 AM by petersjncv

    Trying to stop nat on a particular subnet Netvanta 3430

    eriks New Member

      So heres the setup.  I have a 3430 with a internet connection and a lan connection.  The lan connection gets natted out to the public nat

       

      Now i have added a point to point connection to another local network, but the subnet that is behind the access policy cannot get to the subnet on the other lan, it looks as all of that traffic is getting natted.

       

      So my question is how do i get that traffic to go over to the other lan without it getting natted

       

      My local subnet is 172.16.100.0/25

       

      The remote subnet im trying to access is 10.10.10.0/24

       

      The ethernet point to point subnet is 172.100.100.0/30

       

      my config:

       

       

      Summary i cant get to the 10.10.10.0 subnet from 172.16.100.0 subnet when the access policy "inside" is applied

       

       

       

      !

      ip firewall

      no ip firewall alg ftp

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg pptp

      no ip firewall alg h323

      no ip firewall alg sip

      !

      !

      !

      !

      !

      !

      !

      !

      !

       

       

      !

      !

      !

      !

      !

      !

      !

      no ethernet cfm

      !

      interface eth 0/1 <<<<<<<<<------INTERNET

        ip address dhcp

        ip access-policy outside

        no shutdown

      !

      !

      interface eth 0/2

        encapsulation 802.1q

        no shutdown

      !

      interface eth 0/2.1<<<<<<<<<<<<<------My Local LAN

        vlan-id 1

        ip address  172.16.100.1  255.255.255.128

        ip access-policy inside

        no shutdown

      interface eth 0/2.10<<<<<----------Point to point connection to 10.10.10.0/24 LAN

        vlan-id 10

        ip address  172.100.100.2  255.255.255.252

        no shutdown

      !

      !

      !

      interface t1 1/1

        shutdown

      !

      !

      !

      !

      !

      !

      ip access-list standard elb

        permit 207.69.0.0 0.0.255.255

      !

      ip access-list standard MATCH_ALL

        permit any

      !

      ip access-list standard remoteaccess

        permit 172.16.100.0 0.0.0.127

        permit 207.69.0.0 0.0.255.255

        deny   any

      !

      !

      ip access-list extended icmp

        permit icmp any  any  echo

      !

      ip access-list extended NAT

        permit ip 172.16.100.0 0.0.0.127  any

      !

      ip access-list extended portforward

        permit tcp any  any eq 32400

      !

      !

      !

      !

      ip policy-class inside

        allow list MATCH_ALL self

        nat source list NAT interface eth 0/1 overload

      !

      ip policy-class outside

        allow list elb

        nat destination list portforward address 172.16.100.5

      !

      !

      !

      ip route 10.10.10.0 255.255.255.0 172.100.100.1

      !

        • Re: Trying to stop nat on a particular subnet Netvanta 3430
          petersjncv Visitor

          When you have firewall enabled, you must use policies on all interfaces.  Also, your NAT list is NATing everything without matching traffic to the new PTP and other remote networks.

           

          You'll want to make an ACL matching the source network traffic to the destination network.

           

            ip access-list NET1toNET2

             permit ip 172.16.100.0 0.0.0.255 10.10.10.0 0.0.0.255

           

          Then you will want to put this in the access policy for ethernet 0/2.1

           

            ip policy-class inside

             allow list MATCH_ALL self

             allow list NET1toNET2

             nat source list NAT interface eth 0/1 overload

           

          This will match the traffic destined for that network before hitting your NAT statement.

           

          However, everything done in one direction must also be done in the other.  Ethernet 0/2.10 needs an access policy.  Luckily, you can cheat a little.

           

            ip policy-class PTP

            allow list MATCH_ALL self

            allow reverse list NET1toNET2 (using reverse will flip the matching criteria to a SOURCE of 10.10.10.0/24 to destination 172.16.100.0/24)

           

          Then put the policy on the interface.

           

            interface eth 0/2.10

             ip access-policy PTP

          • Re: Trying to stop nat on a particular subnet Netvanta 3430
            eriks New Member

            I'm clearly an idiot...for one i used the wrong point to point subnet (172.100.x.x yea thats public)..thats been updated...and two i added the new lan interface to the "inside" policy class as a stateless rule

             

             

             

             

            ip policy-class inside

              allow list MATCH_ALL self

              allow list lan2 stateless   <<<<<<------

              nat source list NAT interface eth 0/1 overload

             

            ip access-list extended lan2

              permit ip 172.16.100.0 0.0.0.127  10.10.10.0 0.0.0.255

             

            That fixed it.