Solved: Re: Access-lists Not working on Router

Jonathan Nali · ‎11-06-2020

Hi Everyone,

I need your help with this configuration.

The same configuration one my other with on a different branch but these configs are not working on my other branch.

I can reach the interface 10.10.1.1 and go to the internet without access-lists, yet I needed ACLs on my other router to do the same.

Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:

->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255

if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted

The path from this router should be:

GW:192.168.124.9

GW:192.168.124.1

GW:192.168.124.2

Router Interface:10.10.1.1

Problem 2: I can ping all those but when I do a traceroute to 10.10.1.1 or 192.168.124.2 the trace dies on 192.168.124.1, which is super confusing.

==================================================================================

ip source-route
!
!
ip dhcp relay information option
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.3.253
ip dhcp excluded-address 10.10.3.252
ip dhcp excluded-address 10.10.3.1 10.10.3.50
!
ip dhcp pool KITWE-POOL
network 10.10.3.0 255.255.255.0
default-router 10.10.3.3
dns-server 10.10.1.4
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated

!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface FastEthernet0
switchport access vlan 10
!
!
interface FastEthernet1
switchport access vlan 10
!
!
interface FastEthernet2
switchport access vlan 10
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface FastEthernet4
switchport access vlan 10
!
!
interface FastEthernet5
switchport access vlan 10
!
!
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan10
ip address 10.10.3.3 255.255.255.0
ip helper-address 10.10.3.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
ip forward-protocol udp talk
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
!
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
no cdp run

========================================================================

Any Advice will be highly appreciated.

Giuseppe Larosa · ‎11-06-2020

Hello @Jonathan Nali ,

in your configuration you are doing something different

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9

where 192.168.124.9 is the next-hop for Fas8

interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside

If you want to reach subnet 10.10.1.0/24 from 10.10.3.0/24 without being NATTed you should add a line for that in your ACL used for NAT

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

Hope to help

Giuseppe

View solution in original post

RicardoSN · ‎11-06-2020

Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:
->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted

Not exactly Jonathan,

If you want the source network 10.10.3.0/24 not to be natted to the IP 192.168.124.10 when it's trying to reach the destination network 10.10.1.0/24, then what you should do is denying that source & destination on your NAT ACL, which i belive is the ACL 113:

Like this:

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

As you're currently denying an incorrect destination network i belive 10.10.2.0/24.

-Ricardo S.N., Regards!

View solution in original post

Giuseppe Larosa · ‎11-06-2020

Hello @Jonathan Nali ,

in your configuration you are doing something different

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9

where 192.168.124.9 is the next-hop for Fas8

interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside

If you want to reach subnet 10.10.1.0/24 from 10.10.3.0/24 without being NATTed you should add a line for that in your ACL used for NAT

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

Hope to help

Giuseppe

Jonathan Nali · ‎11-09-2020

Hi @paul driver @RicardoSN @Giuseppe Larosa ,

Thank you for your responses.

We discovered that the problem was with the ISP. They had no advertised the routers to my LAN.

RicardoSN · ‎11-06-2020

Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:
->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted

Not exactly Jonathan,

If you want the source network 10.10.3.0/24 not to be natted to the IP 192.168.124.10 when it's trying to reach the destination network 10.10.1.0/24, then what you should do is denying that source & destination on your NAT ACL, which i belive is the ACL 113:

Like this:

access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any

As you're currently denying an incorrect destination network i belive 10.10.2.0/24.

-Ricardo S.N., Regards!

paul driver · ‎11-06-2020

Hello
Just like to add, would suggest to remove route source routing, you do not want source addressing specify the route path also regards your static routing specify the physical interface of the next-hop also so recursive routing isnt invoked by the other static routes for the next-hop

no ip source-route
no ip route 0.0.0.0 0.0.0.0 192.168.124.1
no ip route 10.10.2.0 255.255.255.0 192.168.124.9
no ip route 192.168.124.0 255.255.255.252 192.168.124.9
no ip route 192.168.124.8 255.255.255.252 192.168.124.9

ip route 0.0.0.0 0.0.0.0 <interface> 192.168.124.1
ip route 10.10.2.0 255.255.255.0 <interface> 192.168.124.9
ip route 192.168.124.0 255.255.255.252 <interface> 192.168.124.9
ip route 192.168.124.8 255.255.255.252 <interface> 192.168.124.9

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul