From: John Kaberna (jkaberna@xxxxxxxxxxxx)
Date: Sat Feb 02 2002 - 22:41:02 GMT-3
ACL 110 is used by the route-map nonat. The route-map nonat is then being
used by the NAT configuration so it knows what to NAT or not to NAT.
Basically what happens is the router sends traffic out and it wants to NAT
that traffic even if it's supposed to be encrypted with IPSec. So to fix
that problem you prevent those packets from being NAT'd. You do that by
using a route-map and having an access-list of the traffic to prevent NAT.
It's due to the order of operations on a router. Since NAT comes before
IPSec processing on a router you have to do it this way. If IPSec came
first you wouldn't have this problem.
Does that make sense? It's a little bit difficult to explain.
John Kaberna
CCIE #7146
www.netcginc.com
(415) 750-3800
Instructor for CCIE R/S and Security 5-day class www.ccbootcamp.com
----- Original Message -----
From: <RSiddappa@NECBNS.com>
To: <signal@shreve.net>; <cchurch@MAGNACOM.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, February 02, 2002 5:28 PM
Subject: IPSec & NAT
> hi Guys,
>
> Can some one explain me what's happing with the following 110 access-list.
>
> http://www.cisco.com/warp/customer/707/overload_private.shtml
>
>
>
> Rajeev.
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:14 GMT-3