Fastethernet Interface - Which process handles packets first? 2

[Jimtron26]

Hi all,

Quick question...

I have the following configured on a FastEthernet Interface:

interface FastEthernet0/0
description LAN Port
ip address 192.168.42.1 255.255.255.0
no ip unreachables
ip nat inside
ip inspect standard in
ip route-cache flow
ip policy route-map NO_NAT
speed auto
full-duplex

If a packet from the 192.168.42.0 network is recieved for an none-local subnet, eg destination 192.168.50.114, which process handles the packet first? The NAT process (ip nat inside) or the Route-Map (ip policy route-map NO_NAT)?

Thanks in advance

Jim Westhead CCNA

 

[helpdeskdan]

Policy routing, or the Route-map. However, don't use this as a rule of thumb, because it is true of inside interface but not the outside interface.

http://www.cisco.com/warp/public/556/5.html

 

[Jimtron26]

Thanks for your response Dan, most appreciated...

The programming on my router does not make sense if this is the case....

The Route Map and ACLs are as follows:

route-map NO_NAT permit 20
match ip address 141 142
set ip next-hop 192.168.51.2

access-list 141 remark NONAT_MAP_ACL
access-list 141 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 141 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 141 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 141 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255

access-list 142 remark NONAT_MAP_ACL
access-list 142 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.201.0 0.0.0.255 192.168.50.0 0.0.0.255

The set ip next-hop statement then sends matching traffic to a Loopback interface (the traffic is split for VPN so that anything destined for a remote IP VPN subnet 192.168.50.0/24 is not NATed)

I thought there was an implicit deny all at the end of every Route Map the same as an ACL... if this is the case, there are no matching statements for Internet traffic in the ACLs and surely Internet bound traffic should be dropped instead of being passed to the NAT process?

We can connect to the Internet without any problems at all!

Perhaps you can clarify for me?

Thanks in advance

Jim CCNA

 

[plshlpme]

i think there is an implicit accept at the end of every route map and traffic would then be passed to the global routing table so if you have a default route it would route out that interface and be subject to any natting that may be on that interface.

if you want internet traffic to be dropped then create another entry in your route-map to look something like this:

route-map NO_NAT permit 30
match ip address 143 <--- some other access-list
set interface null0 <-- black hole

your other access-list could be a permit any any if you have all your traffic properly filtered in the previous route-map statement.. it would act like a catchall and simply dump it.

 

[helpdeskdan]

Actually, there is an implicit deny at the end of every match statement.

http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm

Nevertheless, I believe what you have said is correct advice; if it doesn't match the traffic, it is forwarded normally. If it is denied, it is forwarded normally. It is only if a match is made that the route map will effect the destination.

 

[Jimtron26]

Thanks Dan,

That explanation seems to make sense. The CCNP curriculum and Cisco`s website advise there is an implicit Deny All at the end of the Route Map, however if this was the case then none of our traffic would reach the Internet which, as mentioned, works fine!

Thank you both for your time and replies

Kind regards,

Jim

 

[helpdeskdan]

You are thinking of access lists. This is a route map. There is an implicit deny at the end of route maps because if there was an implicit allow, we would select all traffic. That's not a good thing. Imagine you are using a route map to redistribute. You would define the routes to match, but then the match all would mark ALL traffic. That would be bad.

The match in a route map does not define what is dropped or forwarded, it defines what traffic the route map should look at and do something with. Traffic that is denied in the route map is NOT dropped as in an access list. Traffic that is denied is simply not handled by the route map - it is in no way modified. In this case, it is routed normally.

 

[Jimtron26]

Thanks Dan!!

Extremely well explained

Thank you

 

[plshlpme]

yep nice one dan..
thats what i was thinking above.. but worded it wrong and didnt explain it

it is important to understand the difference between the route map deny and the access-list deny for sure as they are very different.

 

[helpdeskdan]

Why are you thanking me? Plshlpme was the one who gave the correct solution. Nevertheless, I do appreciate the star and the compliment of plshlpme who is very well known on this forum. Though, his handle is most peculiar as I've never actually seen him ask a question - always he is giving answers. ;-)

 

[Jimtron26]

Well ok, thank you both!

Star each eh?

Kind regards

Jim