Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
5
Helpful
4
Replies

ACL doesn't match packets for NAT purpose

vdmbiny01
Level 1
Level 1

‎06-16-2015 04:45 AM - edited ‎03-11-2019 11:07 PM

Hi, I cannot understand why ACL does't  match packets from PCs 192.168.8.2 or 192.168.8.3, but it matches 192.168.8.1(fa0/1).

In Wiresahrk I see source 192.168.8.2 when I run ping 192.168.176.58 from 192.168.8.2. However, it must be 213.70.2.2

By the way, I tried to set static NAT that worked fine, but it is not what I want.


interface FastEthernet0/0
 ip address 213.70.2.2 255.255.255.252
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.8.1 255.255.248.0
 ip nat inside
 duplex auto
 speed auto
!

ip nat pool pool1 213.70.2.2 213.70.2.2 netmask 255.255.255.252
ip nat inside source list 1 pool pool1 overload
!
access-list 1 permit 192.168.8.0 0.0.7.255 log

 

Router#ping 192.168.176.58 source 192.168.8.1

Router#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:4      192.168.8.1:4      192.168.176.58:4   192.168.176.58:4
Router#


Router#trace 192.168.176.58 source 192.168.8.1

Type escape sequence to abort.
Tracing the route to 192.168.176.58

  1 213.70.2.1 0 msec 0 msec 4 msec
  2 192.168.176.58 0 msec 0 msec 4 msec
Router#

 

 

 

Labels:
0 Helpful
4 Replies 4

chprocto
Cisco Employee
Cisco Employee

‎06-19-2015 12:34 AM

Try using a named standard access list instead.

Your example converted

ip nat inside source list nat-source pool pool1 overload
ip access-list standard nat-source
 permit 192.168.8.0 0.0.7.255

My output

Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:24     192.168.8.2:24     213.70.2.1:24      213.70.2.1:24
icmp 213.70.2.2:25     192.168.9.1:25     213.70.2.1:25      213.70.2.1:25

Additional 

if you only want to use the interface address, consider the following instead:

   ip nat inside source list nat-source interface fa0/0

0 Helpful

vdmbiny01
Level 1
Level 1
In response to chprocto

‎06-19-2015 12:46 AM

thanks!

However, I managed to do this in this way:

ip nat pool pool213 213.70.2.2 213.70.2.2 prefix-length 30

ip nat inside source route-map isp1 pool pool213 overload

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

route-map isp1 permit 10
 match ip address 101
 match interface FastEthernet0/0

 

It is pretty weird, but thanks god it works.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to vdmbiny01

‎06-23-2015 09:43 PM

Hi,

I do agree with Dasthomp, log keyword is not supported with nat acl, if you revert your original configuration back by removing the log keyword at the end of acl 1 you will be good to go.

Regards | Aref.

0 Helpful

dasthomp
Cisco Employee
Cisco Employee

‎06-19-2015 07:41 AM

Last I check the use of the 'log' statement is not supported with NAT.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card