Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1514
Views
4
Helpful
9
Replies

access list doesn't get hits

Go to solution
katrin1701
Level 1
Level 1

‎05-02-2023 05:34 AM - last edited on ‎05-07-2023 07:52 PM by Community Manager

I've got an

access-list

that I'm using for NAT and while it is working, I can't see any hits.

I've seen other posts here that it depends on processing via Hard- or Software.

How do I know if this might be the case?

I'd like to be able to see things in that

access-list

in the log, for examle as in

deny any any log

but that doesn't seem to work either.

Is there any way to make that visible?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to katrin1701

‎05-03-2023 11:17 AM - last edited on ‎05-07-2023 07:56 PM by Community Manager

sorry but the command I mentioned before is work only for SW not for router 

show access-list

hardware count 

""NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved by using one of the following options:

  • By having a physical interface or virtual LAN (VLAN) with the logging option

  • By using NetFlow""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-monmain.html

NAT ACL not support Log as cisco mention in guide.

View solution in original post

9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎05-02-2023 06:30 AM

Hi

 You did not mention the device  but on the Label of your thread it shows ISR4000. This device runs IOS XE. 

Take a look on this link

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16-8/sec-data-acl-xe-16-8-book/sec-dply-clr-ald-acl-xe.html 

0 Helpful

Go to solution
katrin1701
Level 1
Level 1
In response to Flavio Miranda

‎05-02-2023 06:42 AM - last edited on ‎05-07-2023 07:55 PM by Community Manager

it is an ISR4451 version 17.3

It displays logs for other

access-lists

but not for the NAT

access-list

It might be due to the fact that the outgoing tagged interface are virtual-access interfaces, via a virtual-template, which has ip nat outside as a parameter.

Go to solution
MHM Cisco World
VIP
VIP
In response to katrin1701

‎05-02-2023 06:48 AM

if it ISR4451 IOS-XE then there is command I think help you.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-02-2023 06:31 AM

if this is SW cat9000 then there is chance that NAT is done in TCAM, 
when NAT (and it ACL) done in TCAM there is no log.

0 Helpful

Go to solution
katrin1701
Level 1
Level 1
In response to MHM Cisco World

‎05-02-2023 06:48 AM - last edited on ‎05-07-2023 07:59 PM by Community Manager

it is an ISR4451 version 17.3

how does one find ot if it is done in TCAM?

Would that also explain why i can't add remarks to my

access-lists

?

Go to solution
MHM Cisco World
VIP
VIP
In response to katrin1701

‎05-03-2023 11:17 AM - last edited on ‎05-07-2023 07:56 PM by Community Manager

sorry but the command I mentioned before is work only for SW not for router 

show access-list

hardware count 

""NAT does not support access control lists (ACLs) with the log option. The same functionality can be achieved by using one of the following options:

  • By having a physical interface or virtual LAN (VLAN) with the logging option

  • By using NetFlow""

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16/nat-xe-16-book/iadnat-monmain.html

NAT ACL not support Log as cisco mention in guide.

Go to solution
katrin1701
Level 1
Level 1
In response to MHM Cisco World

‎05-03-2023 11:19 PM

shame, it used to work on a

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M7, RELEASE SOFTWARE (fc2)

 

I don't have the license for NetFlow it seems (but on the first glance it seems way too complicated for my purposes)

and logging on the interface offers

link-status UPDOWN and CHANGE messages
nfas-status NFAS D-channel status messages
subif-link-status Sub-interface UPDOWN and CHANGE messages

which doesn't seem to be what I want either.

 

I'll just make do without it, I think. At least for now.

0 Helpful

Go to solution
paul driver
VIP
VIP

‎05-03-2023 01:31 AM - last edited on ‎05-07-2023 08:01 PM by Community Manager

Hello
The nat ACL is used for the rtr to call upon so to translate the address(s) specified in it, so I am not sure why you would want to log that particular

access-list

as whatever is specified is what you wish to translate.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
katrin1701
Level 1
Level 1
In response to paul driver

‎05-03-2023 01:46 AM

I don't understand what a Response Time Reporter has do do with it, so I can't comment on that.

If the system is running normally I don't need to log anything, but just in case I'd like to be able to add a log to look for problems, afaik that's what the option log is used for.

I'd also be happier if I had hits, so I can see that the ACL is in use and working.

I don't understand why it shouldn't be possible.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card