Re: ACL with NAT Question...

kenneth.hall · ‎08-02-2004

Thanks in advance for any help provided :)

I'm working with a WISP and all of our Wi-Customers connect back across various APs connected to a switch which connects to our border router, which then of course provides external (internet) connectivity. Using an existing NAT pool and ACL, most RFC1918(private addresses) are allowed to pass to the outside, via NAT-ing. (See config:)

(Existing Config:)

interface FastEthernet1/0

description Wireless Customer LAN

ip address 10.20.0.17 255.255.255.252 secondary

ip address 10.20.0.29 255.255.255.252 secondary

ip address 10.20.0.25 255.255.255.252 secondary

ip address 10.20.0.37 255.255.255.252 secondary

ip address 10.20.0.253 255.255.255.252 secondary

ip address 172.16.0.17 255.255.255.252 secondary

ip address 10.20.0.21 255.255.255.252 secondary

ip address 10.10.0.1 255.255.255.252 secondary

ip address 172.16.129.1 255.255.255.0 secondary

ip address 10.20.0.49 255.255.255.252 secondary

ip address 10.20.0.53 255.255.255.252 secondary

ip address 10.20.0.57 255.255.255.252 secondary

ip address 10.20.0.61 255.255.255.252 secondary

ip address 10.20.0.65 255.255.255.252 secondary

ip address 10.20.0.41 255.255.255.252 secondary

ip address 172.16.6.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

full-duplex

!

ip nat translation timeout 3600

ip nat pool mycompany (public IP of outside int.) (public IP of outside int.) netmask 255.255.255.252

ip nat inside source list 1 pool mycompany overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 deny any

---------------------------------

Now, my problem is I need to prevent a few new customers from reaching the outside, but still provide them with access to various subnets attached to their interface (fa1/0).

I have considered changing the ACL to this:

-------------------------------------

access-list 1 deny 10.20.0.48 0.0.0.3

access-list 1 deny 10.20.0.52 0.0.0.3

access-list 1 deny 10.20.0.56 0.0.0.3

access-list 1 deny 10.20.0.60 0.0.0.3

access-list 1 deny 10.20.0.64 0.0.0.3

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.15.255.255

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 deny any

-------------------------------------

But, my concern is that the NAT Order of Operations will kill the traffic before routing it back out the (fa1/0) interface to the appropriate subnet.

(BTW - the 10.20.x.x subnets in the new ACL are the ones that need access to each other and have their external access denied)

Thanks again for any assistance anyone may offer...

Ken

kenneth.hall · ‎08-02-2004

So would that be the case or not?!?

a.awan · ‎08-02-2004

Actually for inside to outside NAT process routing happens before NAT so i do not see any issues with your access-list. One thing i would like to point out is that with your access-list you are only telling the router what packets to NAT before sending them out. You are effectively preventing some of your customers from accessing the internet but their source packets will still be routed to your router's default gateway unless you have an access-list configured to stop that. If your router can handle it try to look at the option of configuring an inbound access-list on your Fa1/0 and control the client communication through that. Rest assured this access-list will get checked before NAT takes place. The order of operation can be confirmed at the following URL:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml