Thanks for the help! I tried my previous test config again except with this difference...
ip access-list extended NAT_Exempt deny tcp any any eq www deny tcp any any eq 443 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 permit ip 192.168.8.0 0.0.0.255 any If I do a "sh ip nat translations" it looks like http traffic is being NATed correctly: HTTP Traffic (123.123.123.123 is the VDSL ip address): tcp 123.123.123.123:14757 192.168.8.1:14757 212.96.133.192:80 212.96.133.192:80 Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)): tcp 12.34.12.34:50004 192.168.8.115:50004 93.133.195.154:5938 93.133.195.154:5938 But doesn't seem to go out the correct interface. At least there is never an http connection made. :/ Cheers, Ray On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote: > Hi, > >> access-list 110 remark ***** ACL route-map RerouteWebTraffic ***** >> access-list 110 permit tcp any any eq www >> access-list 110 permit tcp any any eq 443 >> >> route-map sdsl permit 10 >> match ip address NAT_Exempt >> >> ip access-list extended NAT_Exempt >> deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 >> deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 >> permit ip 192.168.8.0 0.0.0.255 any > > I guess this is the problem. Try denying things allowed in acl 110 away > from acl NAT_Exempt and see if that helps (be sure that these new denies > are before permit in that acl). > > Best regards, > > Jan > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/