cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
10
Replies

ACL and NAT clarification

nwekechampion
Level 3
Level 3

Hi all,

 

So just a quick one, I have acls configured on a router but not applied to any interface (LAN or WAN), but they seem to work.

I also have nat configured, static and PAT, could it be that the NAT "inside" or "outside" automatically does the job of applying it to an interface? A bit confusing..

 

Please see below:

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Nat:

ip nat inside source static tcp 192.168.0.254 22 interface Dialer2 22
ip nat inside source static tcp 192.168.0.240 22 interface Dialer2 22222
ip nat inside source static tcp 192.168.0.241 443 interface Dialer2 20102
ip nat inside source static tcp 192.168.0.242 443 interface Dialer2 20101
ip nat inside source static tcp 192.168.0.243 443 interface Dialer2 20103
ip nat inside source static tcp 192.168.0.244 443 interface Dialer2 20104
ip nat inside source static tcp 192.168.0.245 443 interface Dialer2 20105
ip nat inside source static tcp 192.168.0.246 443 interface Dialer2 20106
ip nat inside source static tcp 192.168.0.247 443 interface Dialer2 20107
ip nat inside source static tcp 192.168.0.248 80 interface Dialer2 20108
ip nat inside source static tcp 192.168.0.252 50000 interface Dialer2 50000
ip nat inside source static tcp 192.168.0.252 3389 interface Dialer2 5000
ip nat inside source static tcp 192.168.0.252 8080 interface Dialer2 8080
ip nat inside source static tcp 192.168.0.252 1433 interface Dialer2 1433
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2dsl interface Dialer2 overload

 

Access-List for application running on server 192.168.0.252 :

 

ip access-list extended Server_App
permit tcp host public_ip01  host 192.168.0.252 eq 1433
permit tcp host publicip02 host 192.168.0.252 eq 1433
permit tcp host publicip03  host 192.168.0.252 eq 1433

 

 

Interface Config:

 

WAN

interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
load-interval 30
dialer pool 2
dialer-group 2

 

interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
dialer-group 1

 

 

LAN

interface Vlan2
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452

 

Like I said, it works, just want to understand why it does, conceptually, as access-list is not applied to any of the interfaces

 

Thanks

 

 

10 Replies 10

Hello,

 

post the full running configuration of your device. If the access list works, you should only be able to reach permit 192.168.0.252 and nothing else. Is that the case ?

Hi George,

 

Actually not the case, as all my portforwards and ip whitelisting/filtering seem to work.

Please see below:

 

Current configuration : 8793 bytes
!
! Last configuration change at 00:40:10 UTC Tue Jan 7 2020 by Admin
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname YBGC
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.157-3.M4a.bin
boot-end-marker
!
!
enable secret 5 $1$FmYm$j3dzlc6dTlDGUtPElF.c5/
enable password 7 023654575B084E34411F4A
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3761428851
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3761428851
revocation-check none
rsakeypair TP-self-signed-3761428851
!
!
crypto pki certificate chain TP-self-signed-3761428851
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
!
!
ip domain name testitm.com.au
ip name-server 8.8.8.8
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C899G-LTE-LA-K9 sn FGL224711UB
!
!
username Champ password 7 073C345C5E060B114411035B517F7B67
username Admin password 7 0034430A54554A1302700F
!
redundancy
notification-timer 120000
!
!
!
!
!
controller Cellular 0
lte modem link-recovery disable
!
track 1 ip sla 1 reachability
!
track 819 interface Cellular0 line-protocol
!
!
class-map match-any VOIP
match access-group name VOIP-acl
match ip dscp ef
!
policy-map qos
class VOIP
priority 1000
class class-default
bandwidth 19000
policy-map shaping
class class-default
shape average 20000000
service-policy qos
!
!
!
!
!
!
!
!
!
!
!
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
dialer-group 1
!
interface Cellular1
no ip address
encapsulation slip
!
interface GigabitEthernet0
switchport access vlan 2
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
switchport access vlan 3
switchport mode access
no ip address
!
interface GigabitEthernet7
switchport access vlan 2
no ip address
!
interface GigabitEthernet8
no ip address
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet9
ip address 10.1.15.2 255.255.255.252
ip access-group SSH_Permit in
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan3
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan11
no ip address
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
load-interval 30
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 7 1xxxxxxx
ppp pap sent-username xxxxxxxx
service-policy output shaping
!
ip local policy route-map track-primary-if
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.0.254 22 interface Dialer2 22
ip nat inside source static tcp 192.168.0.240 22 interface Dialer2 22222
ip nat inside source static tcp 192.168.0.241 443 interface Dialer2 20102
ip nat inside source static tcp 192.168.0.242 443 interface Dialer2 20101
ip nat inside source static tcp 192.168.0.243 443 interface Dialer2 20103
ip nat inside source static tcp 192.168.0.244 443 interface Dialer2 20104
ip nat inside source static tcp 192.168.0.245 443 interface Dialer2 20105
ip nat inside source static tcp 192.168.0.246 443 interface Dialer2 20106
ip nat inside source static tcp 192.168.0.247 443 interface Dialer2 20107
ip nat inside source static tcp 192.168.0.248 80 interface Dialer2 20108
ip nat inside source static tcp 192.168.0.252 50000 interface Dialer2 50000
ip nat inside source static tcp 192.168.0.252 3389 interface Dialer2 5000
ip nat inside source static tcp 192.168.0.252 8080 interface Dialer2 8080
ip nat inside source static tcp 192.168.0.252 1433 interface Dialer2 1433
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2dsl interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 254
ip route 8.8.4.4 255.255.255.255 Cellular0
ip route Public_PBX_IP 255.255.255.255 Cellular0
ip route Public_PBX_IP 255.255.255.255 Dialer2
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
ip access-list extended miClub_WebApps
permit tcp Pub_sbnet01 0.0.0.255 host 192.168.0.252 eq 50000
permit tcp Pub_sbnet01 0.0.0.255 host 192.168.0.252 eq 50000
permit tcp Pub_sbnet01 0.0.0.255 host 192.168.0.252 eq 50000
permit tcp host Pub_IP host 192.168.0.252 eq 50000
permit tcp host Pub_IP host 192.168.0.252 eq 50000
permit tcp host Pub_IP host 192.168.0.252 eq 50000
ip access-list extended miClub
permit tcp any host 192.168.0.252 eq 8080
permit tcp any host 192.168.0.254 eq 8080
ip access-list extended NAT_ACL
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended NAT_Cell0
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended OLE_DB_Nick
permit tcp host public_ip01 host 192.168.0.252 eq 1433
permit tcp host public_ip02 host 192.168.0.252 eq 1433
permit tcp host public_ip03 host 192.168.0.252 eq 1433
ip access-list extended Ping
permit icmp any host 192.168.0.254
ip access-list extended RDP
ip access-list extended RDP_YBGC_Server
permit tcp any host 192.168.0.252 eq 3389
ip access-list extended SBC
permit tcp any host 192.168.0.150 eq 22
ip access-list extended SSH_Permit
permit tcp any host 192.168.0.254 eq 22
ip access-list extended Yealink
permit tcp any host 192.168.0.91 eq 443
ip access-list extended common_ports
permit tcp any 192.168.0.0 0.0.0.255 eq domain
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer2
threshold 1000
frequency 10
ip sla schedule 1 life forever start-time now
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
ipv6 ioam timestamp
!
route-map track-primary-if permit 10
match ip address 140
set interface Dialer2
!
route-map nat2dsl permit 10
match ip address 101
match interface Dialer2
!
route-map nat2cell permit 10
match ip address 101
match interface Cellular0
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 140 permit icmp any host 8.8.8.8
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
password 7 107E59155519531E015569
logging synchronous
login
no modem enable
line aux 0
password 7 107E59155519531E015569
logging synchronous
login
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
modem InOut
no exec
rxspeed 150000000
txspeed 50000000
line 8
no exec
rxspeed 150000000
txspeed 50000000
line vty 0 4
exec-timeout 120 0
password 7 142742075C0A6B3E297970
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
!
!
!
!
!

 

Hello,

 

are the access lists restricting traffic without being applied to any interface then, or not ?

HI George,

Nope, all traffic seem to be traversing properly.
Everything seems to work fine.. just don't know how as they shouldn't due to the ACL not being applied to any interface.

Thanks

Hello,

 

--> Nope, all traffic seem to be traversing properly.

 

I am lost on what you are asking. In your original post you said that the access lists were blocking traffic although they were not applied to any interface. Now you say that all traffic is passing.

 

Is anything being blocked at all ?

Hi George nothing is blocked at all.
I was just wondering why the ACLs are working if they have not been applied.
or maybe I am confusing it with the static NAT?

If you have no ACL on the interface *all* traffic is allowed. The moment you apply the ACL, only the traffic permitted in the ACL is allowed.

Hello
If you are checking the acl counters and are seeing hits for the following extended access-list then I would say they are historical as these acls are NOT being used so they can be safely removed from your rtr.

As for your NAT this is using ACL 101 with route-map nat2dsl, and ACL 140 with route-map nat2dsl
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2dsl interface Dialer2 overload

Clear access-list counters
no ip access-list extended miClub_WebApps
no ip access-list extended miClub
no ip access-list extended NAT_ACL
no ip access-list extended NAT_Cell0
no ip access-list extended OLE_DB_Nick
no ip access-list extended Ping
no ip access-list extended RDP
no ip access-list extended RDP_YBGC_Server
no ip access-list extended SBC
no ip access-list extended SSH_Permit
no ip access-list extended Yealink

Lastly you also have a QOS shaping policy map applied to Dialer2 which is matching on a class-map VOIP and in that class-map is a VOIP-acl that doesn’t exist so as stated by @Karsten Iwen all traffic is being match to an acl that doesnt exiting will allow all traffic, So this part of your qos poicy is doing that.

class-map match-any VOIP
match access-group name VOIP-acl <-----doesnt exist
match ip dscp ef


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

I do see what you are saying.

I have just checked the counters and nothing is showing up for the other ACLs but the 101 and 140.

Extended IP access list 101
10 permit ip 192.168.0.0 0.0.255.255 any (39496870 matches)
Extended IP access list 140
10 permit icmp any host 8.8.8.8 (792016 matches)

This is a live production router. So I cannot change any settings.
When I do will check and see what changes are made.

Thanks so much guys!!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: