cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
816
Views
5
Helpful
4
Replies

ACL doesn't match packets for NAT purpose

vdmbiny01
Level 1
Level 1

Hi, I cannot understand why ACL does't  match packets from PCs 192.168.8.2 or 192.168.8.3, but it matches 192.168.8.1(fa0/1).

In Wiresahrk I see source 192.168.8.2 when I run ping 192.168.176.58 from 192.168.8.2. However, it must be 213.70.2.2

By the way, I tried to set static NAT that worked fine, but it is not what I want.


interface FastEthernet0/0
 ip address 213.70.2.2 255.255.255.252
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.8.1 255.255.248.0
 ip nat inside
 duplex auto
 speed auto
!

ip nat pool pool1 213.70.2.2 213.70.2.2 netmask 255.255.255.252
ip nat inside source list 1 pool pool1 overload
!
access-list 1 permit 192.168.8.0 0.0.7.255 log

 

Router#ping 192.168.176.58 source 192.168.8.1

Router#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:4      192.168.8.1:4      192.168.176.58:4   192.168.176.58:4
Router#


Router#trace 192.168.176.58 source 192.168.8.1

Type escape sequence to abort.
Tracing the route to 192.168.176.58

  1 213.70.2.1 0 msec 0 msec 4 msec
  2 192.168.176.58 0 msec 0 msec 4 msec
Router#

 

 

 

4 Replies 4

chprocto
Cisco Employee
Cisco Employee

Try using a named standard access list instead.

Your example converted

ip nat inside source list nat-source pool pool1 overload
ip access-list standard nat-source
 permit 192.168.8.0 0.0.7.255

My output

Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:24     192.168.8.2:24     213.70.2.1:24      213.70.2.1:24
icmp 213.70.2.2:25     192.168.9.1:25     213.70.2.1:25      213.70.2.1:25

Additional 

if you only want to use the interface address, consider the following instead:

   ip nat inside source list nat-source interface fa0/0

thanks!

However, I managed to do this in this way:

ip nat pool pool213 213.70.2.2 213.70.2.2 prefix-length 30

ip nat inside source route-map isp1 pool pool213 overload

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

route-map isp1 permit 10
 match ip address 101
 match interface FastEthernet0/0

 

It is pretty weird, but thanks god it works.

Hi,

I do agree with Dasthomp, log keyword is not supported with nat acl, if you revert your original configuration back by removing the log keyword at the end of acl 1 you will be good to go.

Regards | Aref.

dasthomp
Cisco Employee
Cisco Employee

Last I check the use of the 'log' statement is not supported with NAT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: