05-28-2005 09:17 PM - edited 02-20-2020 09:27 PM
The device i used is 2651xm router, and NAT is used to connect my whole inside local network (192.168.1.x) to outside internet. Some standard ACL has been used to block some local host from accessing outside internet, and it worked well.My question is, when i created a named extended ACL, and apply it to the interface to which the local network is attached, the whole local network will not be able to access the outside internet! can you give me some hints?
My hardware and software is 2651xm + IOS 12.3(6b)
The best regards.
jan
Solved! Go to Solution.
05-30-2005 01:30 AM
Hi Jan,
I think the problem here is that you are confusing the use of an access-list to control the NAT, with the use of an access-list to filter the traffic.
Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 overload. This means you still need access-list 1 to define which source addresses get translated. You could, I suppose, use a named access list to do this, and the command would be something like ip nat inside source list inside-locals pool cisco2651-natpool-168 overload, where inside-locals is that name of a standard named access list. But whichever way you play it, you still need the access list. Try putting back the access-list 1, and you will see that it will start working again. Note that the access-list used to control NAT must be a standard list, named or numbered, and not an extended one.
On the other hand, you have used the extended list named-acl-test to filter your traffic, and this is fine. OK, the list is wide open at the moment, but I guess you will want to restrict it later on.
Hope this helps. Write back, and let us know how you get on.
Kevin Dorrell
Luxembourg
05-29-2005 09:37 AM
The ACL is on the inside network, but in which direction, ingoing or outgoing? Perhaps you could show us the access-group command and the ACL itself so we could check it over.
Kevin Dorrell
Luxembourg
05-30-2005 12:11 AM
hi, Kevin. so glad meet you here.
Yes, maybe show the config can help to solve the problem.
Originally, we used this 2651XM product as a simple internet broadband access router, so i deploy a mini set of standard ACL and NAT on it, and they all worked very well. The first version of running-config look like this below:
///// Part 1: The original standard ACL ////////////
show run
Building configuration...
Current configuration : 1839 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname (removed)
!
boot-start-marker
boot-end-marker
!
enable password (removed)
!
clock timezone china 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
ip nbar pdlm flash:bittorrent.pdlm
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
class-map match-all bittorrent
match protocol bittorrent
!
!
policy-map drop-bittorrent
class bittorrent
drop
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
service-policy input drop-bittorrent
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
service-policy input drop-bittorrent
duplex auto
speed auto
no cdp enable
!
interface Ethernet1/0
ip address 220.194.xxx.xxx 255.255.255.248
ip nat outside
full-duplex
no cdp enable
!
router rip
version 2
passive-interface Ethernet1/0
network 192.168.1.0
network 192.168.10.0
no auto-summary
!
ip nat pool cisco2651-natpool-168 220.194.xxx.xxx 220.194.xxx.xxx netmask 255.255.255.248
ip nat inside source list 1 pool cisco2651-natpool-168 overload
ip nat inside source static tcp 192.168.1.11 5001 interface Ethernet1/0 5001
ip nat inside source static tcp 192.168.1.11 5000 interface Ethernet1/0 5000
ip nat inside source static tcp 192.168.1.11 5002 interface Ethernet1/0 5002
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip http server
ip http port 2569
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 host 192.168.1.205
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
banner login ^C
##### Where Were We ? ##### ^C
!
line con 0
line aux 0
line vty 0 4
password (removed)
login
!
!
!
end
//////////// The End of Part 1 ////////////////
(to be continued)
05-30-2005 12:19 AM
(the second part of config with named ACL)
Just based on the above config, I replace the standard ACL with named extended ACL, and applied them on the interface fastethernet 0/0, to which my whole local network 192.168.1.x (I want to verify whether this local network can went through the new named ACL firstly).Unexpectedly, nothing could happen, from this point my local network 192.168.1.x can not access the outside internet. but why? The new config with named extended ACL are as follows:
////////////Part 2: The modifed config with named ACL /////////
show run
Building configuration...
Current configuration : 1839 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname (removed)
!
boot-start-marker
boot-end-marker
!
enable password (removed)
!
clock timezone china 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
ip nbar pdlm flash:bittorrent.pdlm
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
class-map match-all bittorrent
match protocol bittorrent
!
!
policy-map drop-bittorrent
class bittorrent
drop
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip access-group named-acl-test in
ip nat inside
service-policy input drop-bittorrent
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
ip nat inside
service-policy input drop-bittorrent
duplex auto
speed auto
no cdp enable
!
interface Ethernet1/0
ip address 220.194.xxx.xxx 255.255.255.248
ip nat outside
full-duplex
no cdp enable
!
router rip
version 2
passive-interface Ethernet1/0
network 192.168.1.0
network 192.168.10.0
no auto-summary
!
ip nat pool cisco2651-natpool-168 220.194.xxx.xxx 220.194.xxx.xxx netmask 255.255.255.248
ip nat inside source list 1 pool cisco2651-natpool-168 overload
ip nat inside source static tcp 192.168.1.11 3001 interface Ethernet1/0 3001
ip nat inside source static tcp 192.168.1.11 3000 interface Ethernet1/0 3000
ip nat inside source static tcp 192.168.1.11 3002 interface Ethernet1/0 3002
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip http server
ip http port 2569
!
ip access-list extended named-acl-test
permit ip any any
no cdp run
banner login ^C
##### Where Were We ? ##### ^C
!
line con 0
line aux 0
line vty 0 4
password (removed)
login
!
!
!
end
//////////// The End of Part 2 ////////////////
That's all. This problem confused me few days! I followed the CISCO ACL guide strictly, but the result,,, Or there is some bug or caveat about the router or IOS? Can you help me out?
Whether this puzzle can be solved, I should say thank you firstly, this is my first time being on this forum.
best regards.
Janxuan
Beijing, China.
05-30-2005 01:30 AM
Hi Jan,
I think the problem here is that you are confusing the use of an access-list to control the NAT, with the use of an access-list to filter the traffic.
Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 overload. This means you still need access-list 1 to define which source addresses get translated. You could, I suppose, use a named access list to do this, and the command would be something like ip nat inside source list inside-locals pool cisco2651-natpool-168 overload, where inside-locals is that name of a standard named access list. But whichever way you play it, you still need the access list. Try putting back the access-list 1, and you will see that it will start working again. Note that the access-list used to control NAT must be a standard list, named or numbered, and not an extended one.
On the other hand, you have used the extended list named-acl-test to filter your traffic, and this is fine. OK, the list is wide open at the moment, but I guess you will want to restrict it later on.
Hope this helps. Write back, and let us know how you get on.
Kevin Dorrell
Luxembourg
05-31-2005 08:33 PM
Hi, Kevin. Some other tasks pulled me out of my office this days, so haven't manage my router for few days. But i have read your suggestion through carefully. Once have a progress, I will write it down here to you.
Best Regards
Jan Xuan
07-05-2005 02:52 AM
Hi, Kevin
How's everythings going. It's been so long to meet you here. I should say thank you very much for your hints. Laterly, I basically followed your instruction to deal with the trouble i met, go through step by step procedure, the named extended ACL can works very well on the whole two interfaces. I mean the key fault i made is what i appled named-ACL is different from the NAT-pool name to what i instructed in NAT pool command. That's the whole key things. :)
Hope can meet you very often, and learn a lot from you. :) Thank you again.
Janxuan
Beijing
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: