Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Cisco IOS – Order of Operations

So, for the first time, I had to NAT an IPSec tunnel for a vendor, due to overlapping networks.  I know the fundamentals, but have never actually done it.

First, define the vpn traffic…. check

Next, define the  nat traffic…. check

Map the traffic to the cryptomap….check

Create the access-list to filter the VPN Traffic…..no check…. ummm…. okay.. so here is where I needed some help.  Does the ACL get hit first, and THEN NAT?  If so, I’ll need to use the NAT address in the ACL.  But, what if NAT gets hit first?  Then I’ll have to use my private address in the ACL.

What to do?  Well, visit the irc chat room #cisco, that’s what.  They sent me to an incredible post which details the operations of both ingress and egress in a Cisco IOS system.

Very handy!  ….. <Aaron is printing>….

Advertisements

4 responses to “Cisco IOS – Order of Operations

  1. Karsten January 15, 2008 at 7:20 am

    A search for “order of operation” on cisco.com had given you the following as the first hit:
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

    Even easier than going to an irc-channel … 🙂

    BTW: In situations like these I always ask the customer if they prefer the small but ongoing pain (double-nat) or a short time of high pain (readdressing). 🙂

  2. seanwalberg January 15, 2008 at 7:48 am

    I have this as a poster, no idea where I picked it up from though: http://ertw.com/~sean/routingprocess.pdf

    Sean

  3. Aaron Paxson January 15, 2008 at 8:51 am

    Hi Karsten! Thanks for the post! I appreciate the link! I agree, that Google is man’s best searching tool. And I probably would have eventually found that link.

    However, I didn’t exactly know what I was looking for. When I was building my ACL, the phrase, “order of operations” did not come to mind. I probably should have, as I was banging my head AFTER I was told that. 🙂

    And actually, the only reason why I had to do this, was that my vendor was supporting another customer with the same subnet via IPSec. So, I had to NAT my network for them. Of course.. they are supporting me… so maybe they should have built the NAT… HEY!!! WHAT A RIP-OFF!!!

  4. Aaron Paxson January 15, 2008 at 9:03 am

    Hi Sean! It’s been awhile since I’ve seen you around. Sorry I haven’t been keeping up on your blog lately. Used to be my most frequent reads, until my projects started piling up.

    That Poster is the coolest thing! I’m like a small child when it comes to things like that. I love pictures describing a process, and there needs to be lots of color! Probably why I love my Protocol Poster so much 🙂 Plus, it makes you LOOK smart, when you have all kinds of these posters in your cube/office. 🙂 heh!

    Thanks for the PDF, Sean! I’m printing it now on my large-printer!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: