cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
11
Helpful
6
Replies

,,,named extended ACL doesn't work, can you give me help ?

jan xuan
Level 1
Level 1

The device i used is 2651xm router, and NAT is used to connect my whole inside local network (192.168.1.x) to outside internet. Some standard ACL has been used to block some local host from accessing outside internet, and it worked well.My question is, when i created a named extended ACL, and apply it to the interface to which the local network is attached, the whole local network will not be able to access the outside internet! can you give me some hints?

My hardware and software is 2651xm + IOS 12.3(6b)

The best regards.

jan

1 Accepted Solution

Accepted Solutions

Hi Jan,

I think the problem here is that you are confusing the use of an access-list to control the NAT, with the use of an access-list to filter the traffic.

Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 overload. This means you still need access-list 1 to define which source addresses get translated. You could, I suppose, use a named access list to do this, and the command would be something like ip nat inside source list inside-locals pool cisco2651-natpool-168 overload, where inside-locals is that name of a standard named access list. But whichever way you play it, you still need the access list. Try putting back the access-list 1, and you will see that it will start working again. Note that the access-list used to control NAT must be a standard list, named or numbered, and not an extended one.

On the other hand, you have used the extended list named-acl-test to filter your traffic, and this is fine. OK, the list is wide open at the moment, but I guess you will want to restrict it later on.

Hope this helps. Write back, and let us know how you get on.

Kevin Dorrell

Luxembourg

View solution in original post

6 Replies 6

Kevin Dorrell
Level 10
Level 10

The ACL is on the inside network, but in which direction, ingoing or outgoing? Perhaps you could show us the access-group command and the ACL itself so we could check it over.

Kevin Dorrell

Luxembourg

hi, Kevin. so glad meet you here.

Yes, maybe show the config can help to solve the problem.

Originally, we used this 2651XM product as a simple internet broadband access router, so i deploy a mini set of standard ACL and NAT on it, and they all worked very well. The first version of running-config look like this below:

///// Part 1: The original standard ACL ////////////

show run

Building configuration...

Current configuration : 1839 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname (removed)

!

boot-start-marker

boot-end-marker

!

enable password (removed)

!

clock timezone china 8

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

ip nbar pdlm flash:bittorrent.pdlm

!

!

no ip domain lookup

no ftp-server write-enable

!

!

!

class-map match-all bittorrent

match protocol bittorrent

!

!

policy-map drop-bittorrent

class bittorrent

drop

!

!

!

interface FastEthernet0/0

ip address 192.168.1.254 255.255.255.0

ip nat inside

service-policy input drop-bittorrent

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.10.254 255.255.255.0

ip nat inside

service-policy input drop-bittorrent

duplex auto

speed auto

no cdp enable

!

interface Ethernet1/0

ip address 220.194.xxx.xxx 255.255.255.248

ip nat outside

full-duplex

no cdp enable

!

router rip

version 2

passive-interface Ethernet1/0

network 192.168.1.0

network 192.168.10.0

no auto-summary

!

ip nat pool cisco2651-natpool-168 220.194.xxx.xxx 220.194.xxx.xxx netmask 255.255.255.248

ip nat inside source list 1 pool cisco2651-natpool-168 overload

ip nat inside source static tcp 192.168.1.11 5001 interface Ethernet1/0 5001

ip nat inside source static tcp 192.168.1.11 5000 interface Ethernet1/0 5000

ip nat inside source static tcp 192.168.1.11 5002 interface Ethernet1/0 5002

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1/0

ip http server

ip http port 2569

!

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 host 192.168.1.205

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

banner login ^C

##### Where Were We ? ##### ^C

!

line con 0

line aux 0

line vty 0 4

password (removed)

login

!

!

!

end

//////////// The End of Part 1 ////////////////

(to be continued)

(the second part of config with named ACL)

Just based on the above config, I replace the standard ACL with named extended ACL, and applied them on the interface fastethernet 0/0, to which my whole local network 192.168.1.x (I want to verify whether this local network can went through the new named ACL firstly).Unexpectedly, nothing could happen, from this point my local network 192.168.1.x can not access the outside internet. but why? The new config with named extended ACL are as follows:

////////////Part 2: The modifed config with named ACL /////////

show run

Building configuration...

Current configuration : 1839 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname (removed)

!

boot-start-marker

boot-end-marker

!

enable password (removed)

!

clock timezone china 8

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

ip nbar pdlm flash:bittorrent.pdlm

!

!

no ip domain lookup

no ftp-server write-enable

!

!

!

class-map match-all bittorrent

match protocol bittorrent

!

!

policy-map drop-bittorrent

class bittorrent

drop

!

!

!

interface FastEthernet0/0

ip address 192.168.1.254 255.255.255.0

ip access-group named-acl-test in

ip nat inside

service-policy input drop-bittorrent

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.10.254 255.255.255.0

ip nat inside

service-policy input drop-bittorrent

duplex auto

speed auto

no cdp enable

!

interface Ethernet1/0

ip address 220.194.xxx.xxx 255.255.255.248

ip nat outside

full-duplex

no cdp enable

!

router rip

version 2

passive-interface Ethernet1/0

network 192.168.1.0

network 192.168.10.0

no auto-summary

!

ip nat pool cisco2651-natpool-168 220.194.xxx.xxx 220.194.xxx.xxx netmask 255.255.255.248

ip nat inside source list 1 pool cisco2651-natpool-168 overload

ip nat inside source static tcp 192.168.1.11 3001 interface Ethernet1/0 3001

ip nat inside source static tcp 192.168.1.11 3000 interface Ethernet1/0 3000

ip nat inside source static tcp 192.168.1.11 3002 interface Ethernet1/0 3002

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1/0

ip http server

ip http port 2569

!

ip access-list extended named-acl-test

permit ip any any

no cdp run

banner login ^C

##### Where Were We ? ##### ^C

!

line con 0

line aux 0

line vty 0 4

password (removed)

login

!

!

!

end

//////////// The End of Part 2 ////////////////

That's all. This problem confused me few days! I followed the CISCO ACL guide strictly, but the result,,, Or there is some bug or caveat about the router or IOS? Can you help me out?

Whether this puzzle can be solved, I should say thank you firstly, this is my first time being on this forum.

best regards.

Janxuan

Beijing, China.

Hi Jan,

I think the problem here is that you are confusing the use of an access-list to control the NAT, with the use of an access-list to filter the traffic.

Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 overload. This means you still need access-list 1 to define which source addresses get translated. You could, I suppose, use a named access list to do this, and the command would be something like ip nat inside source list inside-locals pool cisco2651-natpool-168 overload, where inside-locals is that name of a standard named access list. But whichever way you play it, you still need the access list. Try putting back the access-list 1, and you will see that it will start working again. Note that the access-list used to control NAT must be a standard list, named or numbered, and not an extended one.

On the other hand, you have used the extended list named-acl-test to filter your traffic, and this is fine. OK, the list is wide open at the moment, but I guess you will want to restrict it later on.

Hope this helps. Write back, and let us know how you get on.

Kevin Dorrell

Luxembourg

Hi, Kevin. Some other tasks pulled me out of my office this days, so haven't manage my router for few days. But i have read your suggestion through carefully. Once have a progress, I will write it down here to you.

Best Regards

Jan Xuan

Hi, Kevin

How's everythings going. It's been so long to meet you here. I should say thank you very much for your hints. Laterly, I basically followed your instruction to deal with the trouble i met, go through step by step procedure, the named extended ACL can works very well on the whole two interfaces. I mean the key fault i made is what i appled named-ACL is different from the NAT-pool name to what i instructed in NAT pool command. That's the whole key things. :)

Hope can meet you very often, and learn a lot from you. :) Thank you again.

Janxuan

Beijing

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: