Send redback-nsp mailing list submissions to
        redback-nsp@puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://puck.nether.net/mailman/listinfo/redback-nsp
or, via email, send a message with subject or body 'help' to
        redback-nsp-requ...@puck.nether.net

You can reach the person managing the list at
        redback-nsp-ow...@puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of redback-nsp digest..."


Today's Topics:

   1. Re: NAT Exclude ACL (Rafal)


----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Aug 2017 22:27:28 +0200
From: Rafal <go...@mtm-info.pl>
To: Micha? Przywuski <mprzywu...@jmdi.pl>, redback-nsp@puck.nether.net
Subject: Re: [rbak-nsp] NAT Exclude ACL
Message-ID: <82505616.20170810222...@mtm-info.pl>
Content-Type: text/plain; charset=utf-8

Hello Micha?,

I have it working like this:
 nat policy ip_example_nat_policy
! Default class
  ignore
  inbound-refresh udp
  icmp-notification
! Named classes
  access-group NATACL
   class NAT
    pool ip_example_nat testcontext
    timeout tcp 6000
    endpoint-independent filtering udp
    inbound-refresh udp
    icmp-notification
   class NATLESS
    ignore
    inbound-refresh udp
    icmp-notification


 policy access-list NATACL
  seq 15 permit ip 192.168.0.0 0.0.255.255 host 10.0.0.1 class NATLESS
  seq 18 permit ip 192.168.0.0 0.0.255.255 host 11.0.0.1 class NATLESS
  seq 20 permit ip 192.168.0.0 0.0.255.255 class NAT


Rafa?



Thursday, August 10, 2017, 2:36:57 PM, you wrote:

> Hi , i looking for method how to exclude some class from NAT (for ex 
> 10.0.0.0/8)

> I have this configuration but Redback drop packet belongs to 10.0.0.0/8

> Where i make a mistake ?


> CLIPS]Dareek(config-policy-nat)#show configuration
> Building configuration...

> Current configuration:
> !
> context CLIPS
> !
>   no ip domain-lookup
> !
>   nat logging-profile nat-logging-profile
>    export-version v9
>    maximum ip-packet-size 1400
>    source 10.3.37.179 port 37777
> !
> !
>   ip nat pool nat-pool-1 napt paired-mode logging
>    paired-mode subscriber over-subscription 64 port-limit 2000
>    logging-profile nat-logging-profile
>    address 185.102.191.242/32 port-block 0 to 15
> !
>   ip nat pool natpool napt multibind
> !
>   nat policy nat-policy enhanced
>    connections tcp maximum 1000
>    connections udp maximum 1000
> ! Default class
>    pool nat-pool-1 CLIPS
>    endpoint-independent filtering tcp
>    endpoint-independent filtering udp
>    inbound-refresh udp
>    icmp-notification
> ! Named classes
>    access-group NAT-ACL
>     class CLASS-IGN
>      ignore
>      inbound-refresh udp
>      icmp-notification
> !
>   nat policy natpolicy
> ! Default class
>    pool natpool clips
>    inbound-refresh udp
>    icmp-notification
> !
>   interface Biuro
> !
>   interface Radius loopback
>    ip address 185.102.191.243/32
> !
>   interface TEST
>    ip address 80.238.114.186/30
> !
>   interface To-Cisco-Pol
>    ip address 10.29.0.1/30
> !
>   interface ZEW multibind
>    ip address 185.102.191.245/30
>    dhcp server interface
> !
>   interface clips multibind
>    ip address 10.10.10.1/24
>    dhcp server interface
> !
>   interface clips-nat multibind
>    ip address 172.25.36.1/24
>    dhcp server interface
>   logging console
>   logging syslog 10.1.10.15 facility local7
> !
>   policy access-list NAT-ACL
>    seq 10 permit ip any 10.0.0.0 0.255.255.255 class CLASS-IGN
> !
>   aaa authentication administrator local
>   aaa authentication administrator maximum sessions 1
>   aaa authentication subscriber radius
> !
>   radius server 10.3.14.24 encrypted-key 29301649C0017C21
> !
>   subscriber default
>     dhcp max-addrs 5
> !
>   ip route 0.0.0.0/0 context BGP
>   ip route 10.0.0.0/8 10.29.0.2
> !
>   dhcp server policy
>     subnet 10.10.10.0/24
>       range 10.10.10.100 10.10.10.200
>       option router 10.10.10.1
>       option domain-name-server 8.8.8.8
>     subnet 172.25.36.0/24
>       range 172.25.36.100 172.25.36.200
>       option router 172.25.36.1
>       option domain-name-server 8.8.8.8
>     subnet 185.102.191.244/30
>       range 185.102.191.245 185.102.191.246
>       option router 185.102.191.245
>       option domain-name-server 8.8.8.8
> !
> !
> !
> end




-- 
Best regards,
Ozga Rafal                          mailto:go...@mtm-info.pl



------------------------------

Subject: Digest Footer

_______________________________________________
redback-nsp mailing list
redback-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/redback-nsp


------------------------------

End of redback-nsp Digest, Vol 109, Issue 4
*******************************************

Reply via email to