08-02-2004 11:56 AM - edited 02-20-2020 09:25 PM
Thanks in advance for any help provided :)
I'm working with a WISP and all of our Wi-Customers connect back across various APs connected to a switch which connects to our border router, which then of course provides external (internet) connectivity. Using an existing NAT pool and ACL, most RFC1918(private addresses) are allowed to pass to the outside, via NAT-ing. (See config:)
(Existing Config:)
interface FastEthernet1/0
description Wireless Customer LAN
ip address 10.20.0.17 255.255.255.252 secondary
ip address 10.20.0.29 255.255.255.252 secondary
ip address 10.20.0.25 255.255.255.252 secondary
ip address 10.20.0.37 255.255.255.252 secondary
ip address 10.20.0.253 255.255.255.252 secondary
ip address 172.16.0.17 255.255.255.252 secondary
ip address 10.20.0.21 255.255.255.252 secondary
ip address 10.10.0.1 255.255.255.252 secondary
ip address 172.16.129.1 255.255.255.0 secondary
ip address 10.20.0.49 255.255.255.252 secondary
ip address 10.20.0.53 255.255.255.252 secondary
ip address 10.20.0.57 255.255.255.252 secondary
ip address 10.20.0.61 255.255.255.252 secondary
ip address 10.20.0.65 255.255.255.252 secondary
ip address 10.20.0.41 255.255.255.252 secondary
ip address 172.16.6.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
full-duplex
!
ip nat translation timeout 3600
ip nat pool mycompany (public IP of outside int.) (public IP of outside int.) netmask 255.255.255.252
ip nat inside source list 1 pool mycompany overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny any
---------------------------------
Now, my problem is I need to prevent a few new customers from reaching the outside, but still provide them with access to various subnets attached to their interface (fa1/0).
I have considered changing the ACL to this:
-------------------------------------
access-list 1 deny 10.20.0.48 0.0.0.3
access-list 1 deny 10.20.0.52 0.0.0.3
access-list 1 deny 10.20.0.56 0.0.0.3
access-list 1 deny 10.20.0.60 0.0.0.3
access-list 1 deny 10.20.0.64 0.0.0.3
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny any
-------------------------------------
But, my concern is that the NAT Order of Operations will kill the traffic before routing it back out the (fa1/0) interface to the appropriate subnet.
(BTW - the 10.20.x.x subnets in the new ACL are the ones that need access to each other and have their external access denied)
Thanks again for any assistance anyone may offer...
Ken
08-02-2004 01:43 PM
So would that be the case or not?!?
08-02-2004 09:58 PM
Actually for inside to outside NAT process routing happens before NAT so i do not see any issues with your access-list. One thing i would like to point out is that with your access-list you are only telling the router what packets to NAT before sending them out. You are effectively preventing some of your customers from accessing the internet but their source packets will still be routed to your router's default gateway unless you have an access-list configured to stop that. If your router can handle it try to look at the option of configuring an inbound access-list on your Fa1/0 and control the client communication through that. Rest assured this access-list will get checked before NAT takes place. The order of operation can be confirmed at the following URL:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide