cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eriks
New Contributor

Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

So heres the setup.  I have a 3430 with a internet connection and a lan connection.  The lan connection gets natted out to the public nat

Now i have added a point to point connection to another local network, but the subnet that is behind the access policy cannot get to the subnet on the other lan, it looks as all of that traffic is getting natted.

So my question is how do i get that traffic to go over to the other lan without it getting natted

My local subnet is 172.16.100.0/25

The remote subnet im trying to access is 10.10.10.0/24

The ethernet point to point subnet is 172.100.100.0/30

my config:

Summary i cant get to the 10.10.10.0 subnet from 172.16.100.0 subnet when the access policy "inside" is applied

!

ip firewall

no ip firewall alg ftp

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg pptp

no ip firewall alg h323

no ip firewall alg sip

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

no ethernet cfm

!

interface eth 0/1 <<<<<<<<<------INTERNET

  ip address dhcp

  ip access-policy outside

  no shutdown

!

!

interface eth 0/2

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1<<<<<<<<<<<<<------My Local LAN

  vlan-id 1

  ip address  172.16.100.1  255.255.255.128

  ip access-policy inside

  no shutdown

interface eth 0/2.10<<<<<----------Point to point connection to 10.10.10.0/24 LAN

  vlan-id 10

  ip address  172.100.100.2  255.255.255.252

  no shutdown

!

!

!

interface t1 1/1

  shutdown

!

!

!

!

!

!

ip access-list standard elb

  permit 207.69.0.0 0.0.255.255

!

ip access-list standard MATCH_ALL

  permit any

!

ip access-list standard remoteaccess

  permit 172.16.100.0 0.0.0.127

  permit 207.69.0.0 0.0.255.255

  deny   any

!

!

ip access-list extended icmp

  permit icmp any  any  echo

!

ip access-list extended NAT

  permit ip 172.16.100.0 0.0.0.127  any

!

ip access-list extended portforward

  permit tcp any  any eq 32400

!

!

!

!

ip policy-class inside

  allow list MATCH_ALL self

  nat source list NAT interface eth 0/1 overload

!

ip policy-class outside

  allow list elb

  nat destination list portforward address 172.16.100.5

!

!

!

ip route 10.10.10.0 255.255.255.0 172.100.100.1

!

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
petersjncv
Contributor
Contributor

Re: Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

When you have firewall enabled, you must use policies on all interfaces.  Also, your NAT list is NATing everything without matching traffic to the new PTP and other remote networks.

You'll want to make an ACL matching the source network traffic to the destination network.

  ip access-list NET1toNET2

   permit ip 172.16.100.0 0.0.0.255 10.10.10.0 0.0.0.255

Then you will want to put this in the access policy for ethernet 0/2.1

  ip policy-class inside

   allow list MATCH_ALL self

   allow list NET1toNET2

   nat source list NAT interface eth 0/1 overload

This will match the traffic destined for that network before hitting your NAT statement.

However, everything done in one direction must also be done in the other.  Ethernet 0/2.10 needs an access policy.  Luckily, you can cheat a little.

  ip policy-class PTP

  allow list MATCH_ALL self

  allow reverse list NET1toNET2 (using reverse will flip the matching criteria to a SOURCE of 10.10.10.0/24 to destination 172.16.100.0/24)

Then put the policy on the interface.

  interface eth 0/2.10

   ip access-policy PTP

View solution in original post

0 Kudos
4 Replies
petersjncv
Contributor
Contributor

Re: Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

When you have firewall enabled, you must use policies on all interfaces.  Also, your NAT list is NATing everything without matching traffic to the new PTP and other remote networks.

You'll want to make an ACL matching the source network traffic to the destination network.

  ip access-list NET1toNET2

   permit ip 172.16.100.0 0.0.0.255 10.10.10.0 0.0.0.255

Then you will want to put this in the access policy for ethernet 0/2.1

  ip policy-class inside

   allow list MATCH_ALL self

   allow list NET1toNET2

   nat source list NAT interface eth 0/1 overload

This will match the traffic destined for that network before hitting your NAT statement.

However, everything done in one direction must also be done in the other.  Ethernet 0/2.10 needs an access policy.  Luckily, you can cheat a little.

  ip policy-class PTP

  allow list MATCH_ALL self

  allow reverse list NET1toNET2 (using reverse will flip the matching criteria to a SOURCE of 10.10.10.0/24 to destination 172.16.100.0/24)

Then put the policy on the interface.

  interface eth 0/2.10

   ip access-policy PTP

View solution in original post

0 Kudos
eriks
New Contributor

Re: Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

I'm clearly an idiot...for one i used the wrong point to point subnet (172.100.x.x yea thats public)..thats been updated...and two i added the new lan interface to the "inside" policy class as a stateless rule

ip policy-class inside

  allow list MATCH_ALL self

  allow list lan2 stateless   <<<<<<------

  nat source list NAT interface eth 0/1 overload

ip access-list extended lan2

  permit ip 172.16.100.0 0.0.0.127  10.10.10.0 0.0.0.255

That fixed it. 

eriks
New Contributor

Re: Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

Your method took in account for the traffic coming back from the other lan compared to my partial result.  Thank you very much sir that did the trick!!

petersjncv
Contributor
Contributor

Re: Trying to stop nat on a particular subnet Netvanta 3430

Jump to solution

Yeah, using a stateless list is best between local networks.