x*********n
发帖数: 28013 | 1 ip access-list extended NO_NAT
deny ip 10.80.96.0 0.0.0.255 10.11.12.0 0.0.0.255
deny ip 10.80.96.0 0.0.0.255 172.31.46.0 0.0.0.255
permit ip 10.80.96.0 0.0.0.255 any
就是说这些IP不nat?其余都nat?
用在site to site VPN上,因为2边都是private IP,所以要disable nat才能顺利? | s*****g
发帖数: 1055 | 2 This access-list is typically referenced by your IOS router's policy NAT/PATconfiguration, when a packet comes to NAT inside interface,if it is destined to internal address, then don't apply NAT/PAT rule, route to VPN, for other traffic NAT/PAT it, send to Internet. If the site does not need Internet access or Internet access is via a central off site, then you don't need any NAT or no-NAT configuration.
In order to be politically correct, there are situations you will NAT/PAT traffic even it is internal traffic protected by IPsecVPN, one scenario is that you only allow connections initiated from one IPsec end point. |
|
