John, I have never had great faith in that page. Taken literally, since outside to inside packets are NAT'd before routing, it means that if you have more than one outside interface, then a packet bound from one to the another will get translated twice. If there was not an existing suitable mapping then that would then imply that the inbound packet would be dropped. Now i haven't tried this, so I don't know whether it happens or not, but if it were the case, I'm sure somebody would have complained by now. If it doesn't happen then the page does not correctly describe the operation. The flip side of that situation is that with a twice-NAT configuration a packet bound inside-outside is routed before the router knows the actual (translated) destination address. How can that be? I haven't done that much with NAT since 11.2, but I have seen twice-NAT configurations where a ping has gone through and been replied to OK but when a debug was running, five translations occurred instead of four, I can't remember what the extra one was. I have also seen a case where an inbound access list was inspected both before and after translation. Now I understand that the NAT code has been rewritten since then but my early experience with Cisco NAT has left me somewhat sceptical. Marc
John Neiberger wrote: > > Someone just posted something on the CCIE list and while researching the > answer I found this page: > > http://www.cisco.com/warp/public/556/5.html > > After looking at that page, it appears to me that it's safe to say the > if you're in an environment that uses both NAT and Policy-Based Routing, > the IP addresses you use in the policy maps are _always_ local > addresses, either inside local or outside local. Is that correct? It > seems that it would never be the case where you'd use an outside local > or outside global address within a route map. > > Is that a true statement? > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38918&t=38021 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
