Re: ACL doesn`t work with NAT

Buy or Renew

1064

Views

Helpful

Replies

Good day everyone. Im learning Cisco in CPT and now im trying to remove access from departments to "web"

192.0.2.1 - 2.5 - "Web pages in internet"

Example of ACL:

Spoiler

ip access-list extended nat_inet
remark PTO
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.4 eq www
remark ACCOUNTING
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.2
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
remark FEO
permit ip host 172.16.4.123 any
remark IAM
permit ip host 172.16.6.61 any
remark ADMIN
permit ip host 172.16.6.66 any
remark SPB_VSL_ISLAND
permit ip host 172.16.16.222 any
remark SPB_OZERKI
permit ip host 172.16.17.222 any
remark KMR
permit ip host 172.16.24.222 any

ip access-list extended nat_inetremark PTOpermit tcp 172.16.3.0 0.0.0.255 host 192.0.2.4 eq wwwremark ACCOUNTINGpermit ip 172.16.5.0 0.0.0.255 host 192.0.2.2permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3remark FEOpermit ip host 172.16.4.123 anyremark IAMpermit ip host 172.16.6.61 anyremark ADMINpermit ip host 172.16.6.66 anyremark SPB_VSL_ISLANDpermit ip host 172.16.16.222 anyremark SPB_OZERKIpermit ip host 172.16.17.222 anyremark KMRpermit ip host 172.16.24.222 any

And it doesn`t work, i can ping or enter any "web" from any 172.16.3.0 for example.

I even tryed this:

Spoiler

no ip access-list extended nat-inet
ip access-list extended nat-inet
deny ip any any

and result is the same.

Full current config:

Spoiler

Current configuration : 2004 bytes

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname msk-arbat-gw1

ip cef

no ipv6 cef

spanning-tree mode pvst

interface FastEthernet0/0

no ip address

duplex auto

speed auto

interface FastEthernet0/0.2

description Dev.managment

encapsulation dot1Q 2

ip address 172.16.1.1 255.255.255.0

interface FastEthernet0/0.3

description Servers

encapsulation dot1Q 3

ip address 172.16.0.1 255.255.255.0

interface FastEthernet0/0.101

description PTO

encapsulation dot1Q 101

ip address 172.16.3.1 255.255.255.0

ip nat inside

interface FastEthernet0/0.102

description FEO

encapsulation dot1Q 102

ip address 172.16.4.1 255.255.255.0

ip nat inside

interface FastEthernet0/0.103

description Accountant

encapsulation dot1Q 103

ip address 172.16.5.1 255.255.255.0

ip nat inside

interface FastEthernet0/0.104

description Other

encapsulation dot1Q 104

ip address 172.16.6.1 255.255.255.0

ip nat inside

interface FastEthernet0/1

no ip address

duplex auto

speed auto

interface FastEthernet0/1.4

description Saint-Peterburg

encapsulation dot1Q 4

ip address 172.16.2.1 255.255.255.252

interface FastEthernet0/1.5

description Kemerovo

encapsulation dot1Q 5

ip address 172.16.2.17 255.255.255.252

interface FastEthernet0/1.6

encapsulation dot1Q 6

ip address 198.51.100.2 255.255.255.240

ip nat outside

interface Vlan1

no ip address

shutdown

ip nat pool main_pool 198.51.100.2 198.51.100.14 netmask 255.255.255.240

ip nat inside source list nat-inet pool main_pool overload

ip classless

ip route 172.16.16.0 255.255.248.0 172.16.2.2

ip route 172.16.2.4 255.255.255.252 172.16.2.2

ip route 172.16.24.0 255.255.252.0 172.16.2.18

ip route 0.0.0.0 0.0.0.0 198.51.100.1

ip flow-export version 9

ip access-list extended nat-inet

deny ip any any

no cdp run

line con 0

line aux 0

line vty 0 4

end

Current configuration : 2004 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname msk-arbat-gw1!!!!!!!!ip cefno ipv6 cef!!!!!!!!!!!!spanning-tree mode pvst!!!!!!interface FastEthernet0/0no ip addressduplex autospeed auto!interface FastEthernet0/0.2description Dev.managmentencapsulation dot1Q 2ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0.3description Serversencapsulation dot1Q 3ip address 172.16.0.1 255.255.255.0!interface FastEthernet0/0.101description PTOencapsulation dot1Q 101ip address 172.16.3.1 255.255.255.0ip nat inside!interface FastEthernet0/0.102description FEOencapsulation dot1Q 102ip address 172.16.4.1 255.255.255.0ip nat inside!interface FastEthernet0/0.103description Accountantencapsulation dot1Q 103ip address 172.16.5.1 255.255.255.0ip nat inside!interface FastEthernet0/0.104description Otherencapsulation dot1Q 104ip address 172.16.6.1 255.255.255.0ip nat inside!interface FastEthernet0/1no ip addressduplex autospeed auto!interface FastEthernet0/1.4description Saint-Peterburgencapsulation dot1Q 4ip address 172.16.2.1 255.255.255.252!interface FastEthernet0/1.5description Kemerovoencapsulation dot1Q 5ip address 172.16.2.17 255.255.255.252!interface FastEthernet0/1.6encapsulation dot1Q 6ip address 198.51.100.2 255.255.255.240ip nat outside!interface Vlan1no ip addressshutdown!ip nat pool main_pool 198.51.100.2 198.51.100.14 netmask 255.255.255.240ip nat inside source list nat-inet pool main_pool overloadip classlessip route 172.16.16.0 255.255.248.0 172.16.2.2ip route 172.16.2.4 255.255.255.252 172.16.2.2ip route 172.16.24.0 255.255.252.0 172.16.2.18ip route 0.0.0.0 0.0.0.0 198.51.100.1!ip flow-export version 9!!ip access-list extended nat-inetdeny ip any any!no cdp run!!!!!!line con 0!line aux 0!line vty 0 4login!!!end

8 Replies 8

Looks like you didn't apply the ACL to an interface.

You probably need something like ip access-group nat_inet out on your WAN interface.

Maybe I'm wrong, but with the command "ip nat inside source list nat-inet pool main_pool overload" i attach the ACL "nat-inet" to the ports with ip nat inside status. Am i wrong?

Well,
Remove the default route and apply your configuration again and test.

clear ip nat translations

I really suggest to you use a firewall to control better your out and in traffic to INTERNET.
Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

Do you mean this? If yes then this doesnt help =(

msk-arbat-gw1#clear ip nat translation *
msk-arbat-gw1#conf t
msk-arbat-gw1(config)#no ip nat inside source list nat-inet pool main_pool overload
msk-arbat-gw1(config)#ip nat inside source list nat-inet pool main_pool overload

Hi @Filk

Try this:
Return the confoigurations to the state where the desired networks had connectivity to the web servers (without filters).
Then make these settings:

access-list 101 deny tcp 172.16.3.0 0.0.0.255 192.0.2.0 0.0.0.3 www

access-list 101 deny tcp 172.16.3.0 0.0.0.255 192.0.2.4 0.0.0.1 www

access-list 101 permit ip any any

interface f0/0.101

ip access-group 101 in

This ACL denies access from that subointerface network to web servers .1 to .5
If you want another network to not have access to those web servers, you just have to create another ACL, edit the source network and apply it in the corresponding subinterface.

Regards

Im sure it`l work but my target to give access for departments to current sites "irl". For example only current banks web pages for accountant

HI @Filk

ACLs can filter by:

Host
Network
Protocol
Port

For more specific filters, I recommend using a firewall, which has the ability to filter by URL, for example.

Regards

I know about firewalls, but now I'm watching video courses where they successfully do this in the framework of NAT training and I just don’t understand why this does not work for me when its workin video. It makes me angry and I just want to understand what I'm doing wrong =)

Im using IP of "pages" and logicaly it must works.

ip access-list extended nat-inet
remark PTO
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq www
remark ACCOUNTING
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4

Review Cisco Networking products for a $25 gift card