Task 13.21 - Don't you need a second static route??

If the SG is correct about the insided being routed first before being translated and therefore the static route is needed, what about outside coming in.  Don't you need a static route for that as well?  or is the order of operations translate then route for incoming traffic?

Comments

  • Never mind, I found the answer:

    NAT Overview

    In the table below, when NAT performs the global to local, or local to global, translation is different in each flow.


    Inside-to-Outside

    Outside-to-Inside

    • If IPSec then check input access list

    • decryption - for CET (Cisco Encryption Technology) or IPSec

    • check input access list

    • check input rate limits

    • input accounting

    • policy routing

    • routing

    • redirect to web cache

    • NAT inside to outside (local to global translation)

    • crypto (check map and mark for encryption)

    • check output access list

    • inspect (Context-based Access Control (CBAC))

    • TCP intercept

    • encryption

    • Queueing

    • If IPSec then check input access list

    • decryption - for CET or IPSec

    • check input access list

    • check input rate limits

    • input accounting

    • NAT outside to inside (global to local translation)

    • policy routing

    • routing

    • redirect to web cache

    • crypto (check map and mark for encryption)

    • check output access list

    • inspect CBAC

    • TCP intercept

    • encryption

    • Queueing

    See reference:

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

  •  Nice findings for other candidates' reference!

    Thanks!

  • I can ping 155.1.58.4 from SW2, but can't telnet.

    I can't ping nor telnet from R4 to 155.1.45.8

  • Ah, I had interface vlan58 on SW2 as 155.1.58.1 via DHCP... that's why. Hooray for NAT! (Can we -please- move to IPv6 already?!)

  • Great link! A must have in your Study,Bookmarks tab.

     

    ANother overlooked option is the add-route keyword. It essentially does the same thing as adding a static route.

     

    ip nat outside source static 155.1.58.8 155.1.45.8 add-route

  • ip nat outside source static 155.1.45.4 155.1.58.4 add-route



    Tox!
Sign In or Register to comment.