Re: ACL for NAT - Page 2

jerry.mcrae · ‎09-07-2006

i am configuring nat on a 3825 running this ios C3825-ADVIPSERVICESK9-M), Version 12.4(7a). i have nat configured and i just need to allow the inside users access to the nat pool. examples im using use this format access-list 100 permit x.x.x.x x.x.x.x - but my ios uses this fromat access-list 100 permit ip (protocol) 10.10.0.0 0.0.255.255 any (dest add, any, host).

any suggestions?

i am 2 hours away from router and dont to kill my telnet session.

thanks in advance.

sundar.palaniappan · ‎09-11-2006

Hi,

Why is your default route pointing to 172.16.1.1. Shouldn't that be pointing to the ISP next hop? Morevoer, try using an extended ACL instead of standard ACL as most NAT configurations I have seen use an extended ACL. It may not matter to use an extended ACL but atleast we can get that out of the equation.

Can you apply the following configuration.

no access-list 7

no ip nat inside source list 7 pool ovrld overload

no ip route 0.0.0.0 0.0.0.0 172.16.1.1

ip nat inside source list 150 pool ovrld overload

access-list 150 permit ip 172.19.0.0 0.0.255.255

access-list 150 permit ip 10.10.0.0 0.0.255.255

ip route 0.0.0.0 0.0.0.0

Hope this helps!

Sundar

whizkidraj · ‎07-07-2020

Hey guys. Since my question is related to NAT and ACL, I thought to directly ask here instead of creating a new post.

I know NATting, and ACLs, having just learnt and practiced it.... but only one questions keeps spinning in my head is why use ACLs with NAT.

In Static NAT i.e. in the video course of CCNA for static NAT, no ACL was used. It's used for Dynamic NAT and PAT.

Please check if my logic is correct. Since private networks are not routable by the router on the internet, so to prevent it from dropping the packets before NAT translation happens i.e. private to public, or public to private, ACLs are used.
But then why was ACL not used in static NAT.

Please explain the relation between ACLs and NAT and why ACLs are being used. And is it necessary to always use them since the NAT syntax has "list number" parameter in it for the ACL mention.

paul driver · ‎07-09-2020

Hello @whizkidraj

For NAT to understand what addressing (local private network) to translate it needs to read the access-list to obtain this information.

As for a static nat 1-to-1 translation then this isn’t required as there is a direct correlation between the private host and public nat address and if this a static pat then also its specified port.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

whizkidraj · ‎07-09-2020

@paul driver, thanks for your clear explanation mate.

so for the dynamic NAT or PAT part, I just thought like suppose if we have just one subnet of hosts 10.10.10.0/24, so if there must be some default setting that if we don't specify then all 10.10.10.0/24 hosts will be allowed by default.

But dynamic NAT has ACL in it's syntax, so no way to skip ACL, right.

Router(config)#ip nat inside source ?

list - Specify access list describing local addresses

static - Specify static local->global mapping

paul driver · ‎07-09-2020

Hello

Yes that is correct.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎07-08-2020

Hello
First of all before you make any changes especially when you are working remotely on a network suggest you apply some backout so if you do make mistake you wont lock yourself out of the device or drop network connectivity for your site.

The way you could do this is to first save you existing configuration then scheduled a reload of the device and then begin your changes but DONT save those changes until your happy all is well this way if you do make a mistake and you lock yourself out or drop connectivity your scheduled reload will save the day.

As for you network translation I can see a couple of anomalies in your existing configuration from what seems is your latest post on this subject.

Your internal lan networks -
172.19.1.0 /16
192.168.132.0/24

Nat access-list
access-list 7 permit 172.19.1.0 0.0.0.255 <-- shouldnt this be a /16
access-list 7 permit 10.10.0.0 0.0.255.255 <--- this doesnt exisit

Default route
ip route 0.0.0.0 0.0.0.0 172.16.1.1 <--incorrect next hop

WAn interface and Nat Pool
nterface Serial0/3/0:0
ip address 7.x.x.194 255.255.255.252

ip nat pool ovrld 7.x.x.x 7.x.x.x prefix-length 29 <-- you have a/29 even though you wan interface is a /30

Please make the following changes and test again

conf t
interface GigabitEthernet0/0.15
ip nat inside

no ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 0.0.0.0 0.0.0.0 serial0/3/0:0 7.x.x.x

no access-list 7
access-list 7 permit 172.19.1.0 0.0.255.255
access-list 7 permit 192.168.132.0 0.0.0.255

ip nat pool ovrld 7.x.x.Y 7.x.x.Y prefix-length 30

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

whizkidraj · ‎07-08-2020

Hi. Anyone please reply to this query of mine.

https://community.cisco.com/t5/routing/acl-for-nat/m-p/4115099/highlight/true#M336614