Added this year's NAT-hack (-:

5 files changed, 398 insertions, 0 deletions

diff --git a/examples/nat-hacks/tg13/iptables-dnat-hack.txt b/examples/nat-hacks/tg13/iptables-dnat-hack.txt
new file mode 100644
index 0000000..caa36a4
--- /dev/null
+++ b/examples/nat-hacks/tg13/iptables-dnat-hack.txt
@@ -0,0 +1,140 @@
+Since several services thought our IP's didn't belong to Norway, they sent us 
+to CDN's in Japan, Africa, and some other weird countries. NRK nett-tv also 
+didn't think we was in Norway, hence it did not let you stream things. Action 
+had to be taken.
+
+We had a /24 from our ISP that we knew would be recognized as Norwegian. We 
+therefore decided to NAT everything related to those services behind that /24. 
+We had to figure out all the destination prefixes used for the different 
+services, and only NAT sessions going to those networks. Tests showed that even 
+if Origin was being NATed behind "Norwegian IPs", it would still connect to 
+lol-CDN. We then decided to DNAT all connections to these specific IPs. We 
+found a suitable Origin-CDN hosted at Telenor/Canal Digital, that would accept 
+connections.
+
+In the process of setting this up, we found out that Cisco ASR1k doesn't (at 
+the time, at least) support more than _one_ DNAT-entry (with the same 
+destination, at least). iptables to the rescue.
+
+Two 10gig-interfaces was set up. One as the 'inside', and the other as the 
+'outside'.
+
+The solution worked flawlessly, and peaked at about ~2Gbps of traffic.
+
+## IPTABLES START
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [497:117797]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i gre5 -j ACCEPT
+-A INPUT -i eth2 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -j DROP
+-A FORWARD -i eth3 -o gre5 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i gre5 -o eth3 -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -j ACCEPT
+COMMIT
+# NAT
+*nat
+:PREROUTING ACCEPT [1073:112412]
+:POSTROUTING ACCEPT [65:16154]
+:OUTPUT ACCEPT [2:129]
+:nataccept - [0:0]
+-A PREROUTING -d 23.15.8.0/24 -j DNAT --to-destination 148.123.13.49
+-A PREROUTING -d 23.32.241.0/24 -j DNAT --to-destination 148.123.13.49
+-A PREROUTING -d 120.29.145.0/24 -j DNAT --to-destination 148.123.13.49
+-A PREROUTING -d 124.40.32.0/24 -j DNAT --to-destination 148.123.13.49
+-A PREROUTING -d 125.56.200.0/24 -j DNAT --to-destination 148.123.13.49
+-A POSTROUTING -s 151.216.0.0/17 -o eth3 -j nataccept
+-A nataccept -j LOG --log-prefix "iptables nat accept "
+-A nataccept -j SNAT --to-source 31.169.55.2-31.169.55.254
+COMMIT
+## IPTABLES END
+
+
+## Cisco ACL
+!
+ip access-list extended steamorigin
+ remark TEST
+   10 permit ip 151.216.0.0 0.0.127.255 158.37.91.0 0.0.0.255
+ remark ORIGIN
+  100 permit ip 151.216.0.0 0.0.127.255 23.15.8.0 0.0.0.255
+  110 permit ip 151.216.0.0 0.0.127.255 23.21.0.0 0.0.255.255
+  120 permit ip 151.216.0.0 0.0.127.255 23.23.0.0 0.0.255.255
+  130 permit ip 151.216.0.0 0.0.127.255 23.32.241.0 0.0.0.255
+  140 permit ip 151.216.0.0 0.0.127.255 23.46.0.0 0.0.255.255
+  300 permit ip 151.216.0.0 0.0.127.255 50.16.0.0 0.0.255.255
+  310 permit ip 151.216.0.0 0.0.127.255 50.17.0.0 0.0.255.255
+  320 permit ip 151.216.0.0 0.0.127.255 54.225.0.0 0.0.255.255
+  400 permit ip 151.216.0.0 0.0.127.255 81.21.146.0 0.0.0.255
+  500 permit ip 151.216.0.0 0.0.127.255 107.20.244.0 0.0.0.255
+  510 permit ip 151.216.0.0 0.0.127.255 120.29.145.0 0.0.0.255
+  520 permit ip 151.216.0.0 0.0.127.255 124.40.32.0 0.0.0.255
+  530 permit ip 151.216.0.0 0.0.127.255 125.56.200.0 0.0.0.255
+  540 permit ip 151.216.0.0 0.0.127.255 164.177.139.0 0.0.0.255
+  550 permit ip 151.216.0.0 0.0.127.255 184.73.0.0 0.0.255.255
+  560 permit ip 151.216.0.0 0.0.127.255 204.236.239.0 0.0.0.255
+ remark STEAM
+ 5100 permit ip 151.216.0.0 0.0.127.255 72.165.61.0 0.0.0.255
+ 5110 permit ip 151.216.0.0 0.0.127.255 81.171.115.0 0.0.0.255
+ 5120 permit ip 151.216.0.0 0.0.127.255 87.248.217.0 0.0.0.255
+ 5300 permit ip 151.216.0.0 0.0.127.255 103.28.54.0 0.0.0.255
+ 5310 permit ip 151.216.0.0 0.0.127.255 146.66.152.0 0.0.0.255
+ 5500 permit ip 151.216.0.0 0.0.127.255 205.185.220.0 0.0.0.255
+ 5510 permit ip 151.216.0.0 0.0.127.255 208.64.200.0 0.0.0.255
+ 5520 permit ip 151.216.0.0 0.0.127.255 209.197.0.0 0.0.255.255
+ 5530 permit ip 151.216.0.0 0.0.127.255 212.187.201.0 0.0.0.255
+ remark NRK-TV
+ 9000 permit ip 151.216.0.0 0.0.127.255 23.8.146.0 0.0.0.255
+ 9010 permit ip 151.216.0.0 0.0.127.255 46.137.77.0 0.0.0.255
+ 9020 permit ip 151.216.0.0 0.0.127.255 50.16.209.0 0.0.0.255
+ 9030 permit ip 151.216.0.0 0.0.127.255 50.16.231.0 0.0.0.255
+ 9040 permit ip 151.216.0.0 0.0.127.255 50.17.243.0 0.0.0.255
+ 9050 permit ip 151.216.0.0 0.0.127.255 54.225.239.0 0.0.0.255
+ 9060 permit ip 151.216.0.0 0.0.127.255 54.243.145.0 0.0.0.255
+ 9070 permit ip 151.216.0.0 0.0.127.255 54.243.68.0 0.0.0.255
+ 9080 permit ip 151.216.0.0 0.0.127.255 65.52.155.0 0.0.0.255
+ 9090 permit ip 151.216.0.0 0.0.127.255 77.88.106.0 0.0.0.255
+ 9100 permit ip 151.216.0.0 0.0.127.255 82.96.58.0 0.0.0.255
+ 9110 permit ip 151.216.0.0 0.0.127.255 94.245.71.0 0.0.0.255
+ 9120 permit ip 151.216.0.0 0.0.127.255 160.68.205.0 0.0.0.255
+ 9130 permit ip 151.216.0.0 0.0.127.255 174.129.219.0 0.0.0.255
+ 9140 permit ip 151.216.0.0 0.0.127.255 184.28.17.0 0.0.0.255
+ 9150 permit ip 151.216.0.0 0.0.127.255 184.73.220.0 0.0.0.255
+ 9160 permit ip 151.216.0.0 0.0.127.255 204.245.63.0 0.0.0.255
+ 9170 permit ip 151.216.0.0 0.0.127.255 204.236.234.0 0.0.0.255
+!
+
+## Cisco route-map
+!!!! telegw;
+!
+route-map nat-madness permit 10
+ match ip address steamorigin
+ set ip next-hop 151.216.0.57
+!
+!
+interface Port-channel2
+ ip policy route-map nat-madness
+!
+interface Port-channel3
+ ip policy route-map nat-madness
+!
+interface TenGigabitEthernet4/4
+ ip policy route-map nat-madness
+!
+
+!!!! nocgw
+!
+route-map nat-madness permit 10
+ match ip address steamorigin
+ set ip next-hop 151.216.125.6
+!
+!
+interface vlan 124
+ ip policy route-map nat-madness
+!
+!
+
diff --git a/examples/nat-hacks/tg14/README b/examples/nat-hacks/tg14/README
new file mode 100644
index 0000000..235b489
--- /dev/null
+++ b/examples/nat-hacks/tg14/README
@@ -0,0 +1,3 @@
+NATed on ASR1k (ModerneGW), and policy-routed.
+
+participant -> telegw -> modernegw (tunnel) -> nocgw -> roofgw -> telegw -> internet
diff --git a/examples/nat-hacks/tg14/modernegw-config.txt b/examples/nat-hacks/tg14/modernegw-config.txt
new file mode 100644
index 0000000..c8f5ba1
--- /dev/null
+++ b/examples/nat-hacks/tg14/modernegw-config.txt
@@ -0,0 +1,175 @@
+hostname ModerneGW
+!
+ip vrf nathacks
+!
+ip vrf origin
+ rd 50:50
+!
+interface Port-channel1.1285
+ encapsulation dot1Q 1285
+ ip vrf forwarding origin
+ ip address 151.216.128.6 255.255.255.254
+ ip nat outside
+ ip virtual-reassembly
+!
+interface Port-channel1.1287
+ encapsulation dot1Q 1287
+ ip vrf forwarding nathacks
+ ip address 151.216.128.200 255.255.255.254
+ ip nat inside
+ ip virtual-reassembly
+!
+interface Port-channel1.1288
+ encapsulation dot1Q 1288
+ ip vrf forwarding nathacks
+ ip address 151.216.128.202 255.255.255.254
+ ip nat outside
+ ip virtual-reassembly
+!
+interface Tunnel10
+ ip vrf forwarding origin
+ ip address 151.216.128.11 255.255.255.254
+ ip nat inside
+ ip virtual-reassembly
+ tunnel source 151.216.255.24
+ tunnel destination 151.216.255.1
+!
+ip nat pool modernebasseng 185.12.58.1 185.12.58.127 netmask 255.255.255.128
+ip nat pool modernebasseng2 185.12.58.1 185.12.58.127 netmask 255.255.255.128 type rotary
+ip nat pool modernebasseng5 185.12.58.1 185.12.58.127 netmask 255.255.255.128 type rotary
+ip nat pool modernebasseng10 185.12.58.1 185.12.58.1 netmask 255.255.255.128
+ip nat pool modernebasseng11 185.12.58.2 185.12.58.2 netmask 255.255.255.128
+ip nat pool modernebasseng12 185.12.58.3 185.12.58.3 netmask 255.255.255.128
+ip nat pool modernebasseng13 185.12.58.4 185.12.58.4 netmask 255.255.255.128
+ip nat pool modernebasseng14 185.12.58.5 185.12.58.5 netmask 255.255.255.128
+ip nat pool modernebasseng15 185.12.58.6 185.12.58.6 netmask 255.255.255.128
+ip nat pool modernebasseng16 185.12.58.7 185.12.58.7 netmask 255.255.255.128
+ip nat pool modernebasseng17 185.12.58.8 185.12.58.8 netmask 255.255.255.128
+ip nat pool modernebasseng18 185.12.58.9 185.12.58.9 netmask 255.255.255.128
+ip nat pool modernebasseng19 185.12.58.10 185.12.58.10 netmask 255.255.255.128
+ip nat pool modernebasseng20 185.12.58.11 185.12.58.11 netmask 255.255.255.128
+ip nat pool modernebasseng21 185.12.58.12 185.12.58.12 netmask 255.255.255.128
+ip nat pool modernebasseng22 185.12.58.13 185.12.58.13 netmask 255.255.255.128
+ip nat pool modernebasseng23 185.12.58.14 185.12.58.14 netmask 255.255.255.128
+ip nat pool modernebasseng24 185.12.58.15 185.12.58.15 netmask 255.255.255.128
+ip nat pool modernebasseng25 185.12.58.16 185.12.58.16 netmask 255.255.255.128
+ip nat pool modernebasseng26 185.12.58.17 185.12.58.17 netmask 255.255.255.128
+ip nat pool modernebasseng27 185.12.58.18 185.12.58.18 netmask 255.255.255.128
+ip nat pool modernebasseng28 185.12.58.19 185.12.58.19 netmask 255.255.255.128
+ip nat pool modernebasseng29 185.12.58.20 185.12.58.20 netmask 255.255.255.128
+ip nat pool modernebasseng30 185.12.58.21 185.12.58.21 netmask 255.255.255.128
+ip nat pool modernebasseng31 185.12.58.22 185.12.58.22 netmask 255.255.255.128
+ip nat pool modernebasseng32 185.12.58.23 185.12.58.23 netmask 255.255.255.128
+ip nat pool modernebasseng33 185.12.58.24 185.12.58.24 netmask 255.255.255.128
+ip nat pool modernebasseng34 185.12.58.25 185.12.58.25 netmask 255.255.255.128
+ip nat pool modernebasseng35 185.12.58.26 185.12.58.26 netmask 255.255.255.128
+ip nat pool modernebasseng36 185.12.58.27 185.12.58.27 netmask 255.255.255.128
+ip nat pool modernebasseng37 185.12.58.28 185.12.58.28 netmask 255.255.255.128
+ip nat pool modernebasseng38 185.12.58.29 185.12.58.29 netmask 255.255.255.128
+ip nat pool modernebasseng39 185.12.58.30 185.12.58.30 netmask 255.255.255.128
+ip nat pool modernebasseng40 185.12.58.31 185.12.58.31 netmask 255.255.255.128
+ip nat pool modernebasseng41 185.12.58.32 185.12.58.32 netmask 255.255.255.128
+ip nat pool modernebasseng42 185.12.58.33 185.12.58.33 netmask 255.255.255.128
+ip nat pool modernebasseng43 185.12.58.34 185.12.58.34 netmask 255.255.255.128
+ip nat pool modernebasseng44 185.12.58.35 185.12.58.35 netmask 255.255.255.128
+ip nat pool modernebasseng45 185.12.58.36 185.12.58.36 netmask 255.255.255.128
+ip nat pool modernebasseng46 185.12.58.37 185.12.58.37 netmask 255.255.255.128
+ip nat pool modernebasseng47 185.12.58.38 185.12.58.38 netmask 255.255.255.128
+ip nat pool modernebasseng48 185.12.58.39 185.12.58.39 netmask 255.255.255.128
+ip nat pool modernebasseng49 185.12.58.40 185.12.58.40 netmask 255.255.255.128
+ip nat pool modernebasseng50 185.12.58.41 185.12.58.41 netmask 255.255.255.128
+ip nat pool modernebasseng51 185.12.58.42 185.12.58.42 netmask 255.255.255.128
+ip nat pool modernebasseng52 185.12.58.43 185.12.58.43 netmask 255.255.255.128
+ip nat pool modernebasseng53 185.12.58.44 185.12.58.44 netmask 255.255.255.128
+ip nat pool modernebasseng54 185.12.58.45 185.12.58.45 netmask 255.255.255.128
+ip nat pool modernebasseng55 185.12.58.46 185.12.58.46 netmask 255.255.255.128
+ip nat pool modernebasseng56 185.12.58.47 185.12.58.47 netmask 255.255.255.128
+ip nat pool modernebasseng57 185.12.58.48 185.12.58.48 netmask 255.255.255.128
+ip nat pool modernebasseng58 185.12.58.49 185.12.58.49 netmask 255.255.255.128
+ip nat pool modernebasseng59 185.12.58.50 185.12.58.50 netmask 255.255.255.128
+ip nat pool modernebasseng60 185.12.58.51 185.12.58.51 netmask 255.255.255.128
+ip nat pool modernebasseng61 185.12.58.52 185.12.58.52 netmask 255.255.255.128
+ip nat pool modernebasseng62 185.12.58.53 185.12.58.53 netmask 255.255.255.128
+ip nat pool modernebasseng63 185.12.58.54 185.12.58.54 netmask 255.255.255.128
+ip nat pool modernebasseng64 185.12.58.55 185.12.58.55 netmask 255.255.255.128
+ip nat pool modernebasseng65 185.12.58.56 185.12.58.56 netmask 255.255.255.128
+ip nat pool modernebasseng66 185.12.58.57 185.12.58.57 netmask 255.255.255.128
+ip nat pool modernebasseng67 185.12.58.58 185.12.58.58 netmask 255.255.255.128
+ip nat pool modernebasseng68 185.12.58.59 185.12.58.59 netmask 255.255.255.128
+ip nat pool modernebasseng69 185.12.58.60 185.12.58.60 netmask 255.255.255.128
+ip nat pool modernebasseng70 185.12.58.61 185.12.58.61 netmask 255.255.255.128
+ip nat pool modernebasseng71 185.12.58.62 185.12.58.62 netmask 255.255.255.128
+ip nat pool modernebasseng72 185.12.58.63 185.12.58.63 netmask 255.255.255.128
+ip nat pool modernebasseng73 185.12.58.64 185.12.58.64 netmask 255.255.255.128
+ip nat pool modernebasseng74 185.12.58.65 185.12.58.65 netmask 255.255.255.128
+ip nat pool modernebasseng75 185.12.58.66 185.12.58.66 netmask 255.255.255.128
+ip nat pool modernebasseng76 185.12.58.67 185.12.58.67 netmask 255.255.255.128
+ip nat pool modernebasseng77 185.12.58.68 185.12.58.68 netmask 255.255.255.128
+ip nat pool modernebasseng78 185.12.58.69 185.12.58.69 netmask 255.255.255.128
+ip nat pool modernebasseng79 185.12.58.70 185.12.58.70 netmask 255.255.255.128
+ip nat pool modernebasseng80 185.12.58.71 185.12.58.71 netmask 255.255.255.128
+ip nat pool modernebasseng81 185.12.58.72 185.12.58.72 netmask 255.255.255.128
+ip nat pool modernebasseng82 185.12.58.73 185.12.58.73 netmask 255.255.255.128
+ip nat pool modernebasseng83 185.12.58.74 185.12.58.74 netmask 255.255.255.128
+ip nat pool modernebasseng84 185.12.58.75 185.12.58.75 netmask 255.255.255.128
+ip nat pool modernebasseng85 185.12.58.76 185.12.58.76 netmask 255.255.255.128
+ip nat pool modernebasseng86 185.12.58.77 185.12.58.77 netmask 255.255.255.128
+ip nat pool modernebasseng87 185.12.58.78 185.12.58.78 netmask 255.255.255.128
+ip nat pool modernebasseng88 185.12.58.79 185.12.58.79 netmask 255.255.255.128
+ip nat pool modernebasseng89 185.12.58.80 185.12.58.80 netmask 255.255.255.128
+ip nat pool modernebasseng90 185.12.58.81 185.12.58.81 netmask 255.255.255.128
+ip nat pool modernebasseng91 185.12.58.82 185.12.58.82 netmask 255.255.255.128
+ip nat pool modernebasseng92 185.12.58.83 185.12.58.83 netmask 255.255.255.128
+ip nat pool modernebasseng93 185.12.58.84 185.12.58.84 netmask 255.255.255.128
+ip nat pool modernebasseng94 185.12.58.85 185.12.58.85 netmask 255.255.255.128
+ip nat pool modernebasseng95 185.12.58.86 185.12.58.86 netmask 255.255.255.128
+ip nat pool modernebasseng96 185.12.58.87 185.12.58.87 netmask 255.255.255.128
+ip nat pool modernebasseng97 185.12.58.88 185.12.58.88 netmask 255.255.255.128
+ip nat pool modernebasseng98 185.12.58.89 185.12.58.89 netmask 255.255.255.128
+ip nat pool modernebasseng99 185.12.58.90 185.12.58.90 netmask 255.255.255.128
+ip nat pool modernebasseng100 185.12.58.91 185.12.58.91 netmask 255.255.255.128
+ip nat pool modernebasseng101 185.12.58.92 185.12.58.92 netmask 255.255.255.128
+ip nat pool modernebasseng102 185.12.58.93 185.12.58.93 netmask 255.255.255.128
+ip nat pool modernebasseng103 185.12.58.94 185.12.58.94 netmask 255.255.255.128
+ip nat pool modernebasseng104 185.12.58.95 185.12.58.95 netmask 255.255.255.128
+ip nat pool modernebasseng105 185.12.58.96 185.12.58.96 netmask 255.255.255.128
+ip nat pool modernebasseng106 185.12.58.97 185.12.58.97 netmask 255.255.255.128
+ip nat pool modernebasseng107 185.12.58.98 185.12.58.98 netmask 255.255.255.128
+ip nat pool modernebasseng108 185.12.58.99 185.12.58.99 netmask 255.255.255.128
+ip nat pool modernebasseng109 185.12.58.100 185.12.58.100 netmask 255.255.255.128
+ip nat pool modernebasseng110 185.12.58.101 185.12.58.101 netmask 255.255.255.128
+ip nat pool modernebasseng111 185.12.58.102 185.12.58.102 netmask 255.255.255.128
+ip nat pool modernebasseng112 185.12.58.103 185.12.58.103 netmask 255.255.255.128
+ip nat pool modernebasseng113 185.12.58.104 185.12.58.104 netmask 255.255.255.128
+ip nat pool modernebasseng114 185.12.58.105 185.12.58.105 netmask 255.255.255.128
+ip nat pool modernebasseng115 185.12.58.106 185.12.58.106 netmask 255.255.255.128
+ip nat pool modernebasseng116 185.12.58.107 185.12.58.107 netmask 255.255.255.128
+ip nat pool modernebasseng117 185.12.58.108 185.12.58.108 netmask 255.255.255.128
+ip nat pool modernebasseng118 185.12.58.109 185.12.58.109 netmask 255.255.255.128
+ip nat pool modernebasseng119 185.12.58.110 185.12.58.110 netmask 255.255.255.128
+ip nat pool modernebasseng120 185.12.58.111 185.12.58.111 netmask 255.255.255.128
+ip nat pool modernebasseng121 185.12.58.112 185.12.58.112 netmask 255.255.255.128
+ip nat pool modernebasseng122 185.12.58.113 185.12.58.113 netmask 255.255.255.128
+ip nat pool modernebasseng123 185.12.58.114 185.12.58.114 netmask 255.255.255.128
+ip nat pool modernebasseng124 185.12.58.115 185.12.58.115 netmask 255.255.255.128
+ip nat pool modernebasseng125 185.12.58.116 185.12.58.116 netmask 255.255.255.128
+ip nat pool modernebasseng126 185.12.58.117 185.12.58.117 netmask 255.255.255.128
+ip nat pool modernebasseng127 185.12.58.118 185.12.58.118 netmask 255.255.255.128
+ip nat pool modernebasseng128 185.12.58.119 185.12.58.119 netmask 255.255.255.128
+ip nat pool modernebasseng129 185.12.58.120 185.12.58.120 netmask 255.255.255.128
+ip nat pool modernebasseng130 185.12.58.121 185.12.58.121 netmask 255.255.255.128
+ip nat pool modernebasseng131 185.12.58.122 185.12.58.122 netmask 255.255.255.128
+ip nat pool modernebasseng132 185.12.58.123 185.12.58.123 netmask 255.255.255.128
+ip nat pool modernebasseng133 185.12.58.124 185.12.58.124 netmask 255.255.255.128
+ip nat pool modernebasseng134 185.12.58.125 185.12.58.125 netmask 255.255.255.128
+ip nat pool modernebasseng135 185.12.58.126 185.12.58.126 netmask 255.255.255.128
+ip nat pool modernebasseng136 185.12.58.127 185.12.58.127 netmask 255.255.255.128
+ip nat inside source list alle pool 
+ip nat inside source list alle pool 
+ip nat inside source list alle pool modernebasseng vrf origin overload
+ip nat outside source static 151.216.253.200 151.216.253.28 vrf nathacks add-route
+!
+ip route 0.0.0.0 0.0.0.0 151.216.128.233
+ip route 195.159.252.75 255.255.255.255 151.216.128.15
+ip route vrf origin 0.0.0.0 0.0.0.0 151.216.128.7
+!
diff --git a/examples/nat-hacks/tg14/nocgw-config.txt b/examples/nat-hacks/tg14/nocgw-config.txt
new file mode 100644
index 0000000..a55e7cf
--- /dev/null
+++ b/examples/nat-hacks/tg14/nocgw-config.txt
@@ -0,0 +1,22 @@
+hostname NocGW
+!
+ip route 23.15.8.0 255.255.255.0 151.216.128.78
+ip route 23.21.0.0 255.255.0.0 151.216.128.78
+ip route 23.23.0.0 255.255.0.0 151.216.128.78
+ip route 23.32.241.0 255.255.255.0 151.216.128.78
+ip route 23.46.0.0 255.255.0.0 151.216.128.78
+ip route 50.16.0.0 255.255.0.0 151.216.128.78
+ip route 50.17.0.0 255.255.0.0 151.216.128.78
+ip route 54.225.0.0 255.255.0.0 151.216.128.78
+ip route 81.21.146.0 255.255.255.0 151.216.128.78
+ip route 107.20.244.0 255.255.255.0 151.216.128.78
+ip route 120.29.145.0 255.255.255.0 151.216.128.78
+ip route 124.40.32.0 255.255.255.0 151.216.128.78
+ip route 125.56.200.0 255.255.255.0 151.216.128.78
+ip route 151.216.250.0 255.255.255.0 151.216.128.244
+ip route 151.216.255.24 255.255.255.255 151.216.128.234
+ip route 164.177.139.0 255.255.255.0 151.216.128.78
+ip route 184.73.0.0 255.255.0.0 151.216.128.78
+ip route 185.12.58.0 255.255.255.128 151.216.128.6
+ip route 204.236.239.0 255.255.255.0 151.216.128.78
+!
diff --git a/examples/nat-hacks/tg14/telegw-config.txt b/examples/nat-hacks/tg14/telegw-config.txt
new file mode 100644
index 0000000..fd1bcf0
--- /dev/null
+++ b/examples/nat-hacks/tg14/telegw-config.txt
@@ -0,0 +1,58 @@
+hostname telegw
+!
+interface Port-channel20
+ ip address 151.216.128.81 255.255.255.254
+ ip pim sparse-mode
+ ip policy route-map origin-nat
+ ipv6 unnumbered Loopback0
+ ipv6 enable
+ ipv6 eigrp 58366
+!
+Current configuration : 173 bytes
+!
+interface Tunnel10
+ description Modernegw
+ ip address 151.216.128.10 255.255.255.254
+ no ip redirects
+ tunnel source 151.216.255.1
+ tunnel destination 151.216.255.24
+!
+ip access-list extended origin
+ deny   ip 151.216.128.0 0.0.127.255 host 23.23.110.81
+ deny   ip 151.216.128.0 0.0.127.255 host 23.23.110.58
+ deny   ip 151.216.128.0 0.0.127.255 host 54.225.125.247
+ remark ORIGIN
+ permit ip 151.216.128.0 0.0.127.255 23.15.8.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 23.21.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 23.23.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 23.32.241.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 23.46.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 50.16.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 50.17.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 54.225.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 81.21.146.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 107.20.244.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 120.29.145.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 124.40.32.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 125.56.200.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 164.177.139.0 0.0.0.255
+ permit ip 151.216.128.0 0.0.127.255 184.73.0.0 0.0.255.255
+ permit ip 151.216.128.0 0.0.127.255 204.236.239.0 0.0.0.255
+!
+ip prefix-list Origin-nat-drit-prefix seq 5 permit 185.12.58.0/24
+!
+route-map origin-nat permit 10
+ match ip address origin
+ set ip next-hop 151.216.128.11
+!
+route-map Origin-nat-crap permit 10
+ match ip address prefix-list Origin-nat-drit-prefix
+!
+route-map Origin-nat-crap deny 20
+!
+route-map origin-nat-test permit 10
+ match ip address origin-test
+ set ip next-hop 151.216.128.11
+!
+route-map origin-nat-test deny 20
+!