Re: ACL for NAT

jerry.mcrae · ‎09-07-2006

i am configuring nat on a 3825 running this ios C3825-ADVIPSERVICESK9-M), Version 12.4(7a). i have nat configured and i just need to allow the inside users access to the nat pool. examples im using use this format access-list 100 permit x.x.x.x x.x.x.x - but my ios uses this fromat access-list 100 permit ip (protocol) 10.10.0.0 0.0.255.255 any (dest add, any, host).

any suggestions?

i am 2 hours away from router and dont to kill my telnet session.

thanks in advance.

vijayasankar · ‎09-07-2006

Hi,

If you could provide the config snapshot( excluding the sensitive informations, public ip..) it would helpful to assist you in the right direction.

Depending on your need you can either use a standard or extended ACL in this scenario.

If you just want to allow the inside users to get NAT'ed. then you can use the standard acl as follows.

For example:

access-list 10 permit 192.168.20.0 0.0.0.255

access-list 10 permit 192.168.10.0 0.0.0.255

Here the network 192.168.20.0/24 and 192.168.10.0/24 are the inside networks.

Ex:Create a dynamic nat in the global config

ip nat inside source list 10 interface overload

In this example, an ACL 10 is created to allow the inside subnets.

This ACL is called in the "ip nat inside" command. As per this example, the inside subnets will get natted to the ip address of the interface that is specified in the

Hope this helps. Rate the post if you find it useful.

Get back to us if you need further clarifications.

-VJ

jerry.mcrae · ‎09-07-2006

check this out. i have ip nat inside and outside configed on the interfaces not shown in the example.

nat config:

ip nat pool ovrld 72.x.x.x 72.x.x.x prefix-length 29

ip nat inside source list 140 pool ovrld overload

ACL config attempt.

RFP3825(config)#access-list 140 permit 10.10.0.0 0.0.255.255

^

% Invalid input detected at '^' marker.

RFP3825(config)#access-list 140 permit 10.10.0.0 0.0.255.255 ?

% Unrecognized command

RFP3825(config)#access-list 140 permit 10.10.0.0 0.0.255.255

thanks,

vijayasankar · ‎09-07-2006

Hi,

You are trying with an extended ACL. ( ACL number above 100 are extended ones)

which requires you to specify a protocol, source ip, port, destination ip, port.

You have two options now.

ip nat inside source list 140 pool ovrld overload

access-list 140 permit ip 10.10.0.0 0.0.255.255 any

Or you can define a standard acl as stated above in my post, in which case you will only specify the source subnets.

Hope this helps. Rate the post if you find it usefull

-VJ

jerry.mcrae · ‎09-07-2006

i attached my config. still cant get outside.

interface Serial0/1/1:0

description office 1

bandwidth 1544

ip unnumbered GigabitEthernet0/0.10

ip nat inside

ip virtual-reassembly

no cdp enable

interface Serial0/3/0:0

description Interface ISP

ip address 7.x.x.194 255.255.255.252

ip nat outside

ip virtual-reassemblyip forward-protocol udp 135

ip route 0.0.0.0 0.0.0.0 7.x.x.193

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool ovrld 72.166.80.169 72.166.80.169 prefix-length 29

ip nat inside source list 7 pool ovrld overload

!

logging 172.16.1.100

access-list 7 permit 172.19.1.0 0.0.0.255

access-list 7 permit 10.10.0.0 0.0.255.255

access-list 102 permit udp any any range 16384 37276

access-list 103 permit tcp any eq 1720 any

access-list 103 permit tcp any any eq 1720

access-list 150 permit tcp any any eq www

vijayasankar · ‎09-07-2006

Hi,

i could see that you have enabled ip nat inside on the serial interface 0/1/1:0

Where are you networks 172.19.1.0/24 and 10.10.0.0/16 located.

I couldn't see any routes for these network in the config that you have posted.

If those networks are connected ethernet interfaces, then you should turn on "ip nat inside" under those interfaces.

Can you post the full config, to understand your setup.

Hope this helps.

-vJ

jerry.mcrae · ‎09-07-2006

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

boot-start-marker

boot system flash c3825-advipservicesk9-mz.124-7a.bin

boot-end-marker

!

card type t1 0 0

card type t1 0 1

card type t1 0 3

logging buffered 1000000 debugging

!

no aaa new-model

!

resource policy

!

clock timezone MST -7

clock summer-time MDT recurring

network-clock-participate wic 0

network-clock-participate wic 1

network-clock-participate wic 3

network-clock-select 1 T1 0/0/0

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.132.0 192.168.132.50

!

ip host switch 172.19.1.5

!

isdn switch-type primary-ni

!

controller T1 0/0/0

framing esf

linecode b8zs

pri-group timeslots 1-24 service mgcp

!

controller T1 0/0/1

framing esf

linecode b8zs

description FUTURE PRI

!

controller T1 0/1/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

description

!

controller T1 0/1/1

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

description

!

controller T1 0/3/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

description INTERNET T1

!

controller T1 0/3/1

framing esf

linecode b8zs

description FUTURE INTERNET T1

!

class-map match-all voice-signaling

match ip dscp af31

class-map match-all voice-traffic

match ip dscp ef

!

policy-map E_SP

class voice-traffic

priority 800

class voice-signaling

bandwidth 8

class class-default

fair-queue

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

media-type rj45

negotiation auto

!

interface GigabitEthernet0/0.10

description VLAN 10 for Data

encapsulation dot1Q 10

ip address 172.19.1.1 255.255.0.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface GigabitEthernet0/0.15

description VLAN 15 for Voice

encapsulation dot1Q 15

ip address 192.168.132.1 255.255.255.0

no snmp trap link-status

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

media-type rj45

negotiation auto

!

interface Serial0/0/0:23

no ip address

encapsulation hdlc

isdn switch-type primary-ni

isdn incoming-voice voice

isdn bind-l3 ccm-manager

no cdp enable

!

interface Serial0/1/0:0

description

bandwidth 1544

ip unnumbered GigabitEthernet0/0.10

ip nat inside

ip virtual-reassembly

no cdp enable

service-policy output E_SP

!

interface Serial0/1/1:0

description

bandwidth 1544

ip unnumbered GigabitEthernet0/0.10

ip nat inside

ip virtual-reassembly

no cdp enable

service-policy output E_SP

!

interface Serial0/2/0

description

bandwidth 1544

ip unnumbered GigabitEthernet0/0.10

no cdp enable

service-policy output E_SP

!

interface Serial0/3/0:0

description Interface ISP

ip address 7.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

!

router eigrp 100

network 172.19.0.0

network 192.168.132.0

no auto-summary

!

ip forward-protocol udp 135

ip route 0.0.0.0 0.0.0.0 172.16.1.1

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool ovrld 7.x.x.x 7.x.x.x prefix-length 29

ip nat inside source list 7 pool ovrld overload

!

logging 172.16.1.100

access-list 7 permit 172.19.1.0 0.0.0.255

access-list 7 permit 10.10.0.0 0.0.255.255

access-list 102 permit udp any any range 16384 37276

access-list 103 permit tcp any eq 1720 any

access-list 103 permit tcp any any eq 1720

access-list 150 permit tcp any any eq www

snmp-server community

!

control-plane

!

voice-port 0/0/0:23

!

mgcp profile default

!

vijayasankar · ‎09-07-2006

Hi,

The Config looks ok for me. Is it working or are you facing any problems

Can you post the output of "show ip nat translations".

-VJ

jerry.mcrae · ‎09-08-2006

here you go.

sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 72.x.x.x:1346 172.19.1.62:1346 67.x.x.x:65181 67.x.x.x:6518

1

tcp 72.x.x.x:4823 172.19.1.78:4823 216.239.x.x:5222 216.239.x.x:522

2

foxbatreco · ‎09-07-2006

Hii jerry,

to more concise pls clarify ur internal and global ip's for better clarification so that we can help u out..

jerry.mcrae · ‎09-08-2006

sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 72.x.x.x:1346 172.19.1.62:1346 67.x.x.x:65181 67.x.x.x:6518

1

tcp 72.x.x.x:4823 172.19.1.78:4823 216.239.x.x:5222 216.239.x.x:522

2

jerry.mcrae · ‎09-08-2006

i added ip nat inside to a sub interface thats for data traffic. i wonder if that is a problem. see config below.

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

media-type rj45

negotiation auto

!

interface GigabitEthernet0/0.10

description VLAN 10 for Data

encapsulation dot1Q 10

ip address 172.19.1.1 255.255.0.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface GigabitEthernet0/0.15

description VLAN 15 for Voice

encapsulation dot1Q 15

ip address 192.168.132.1 255.255.255.0

no snmp trap link-status

Edison Ortiz · ‎09-08-2006

Jerry,

According to the nat translation output, NAT is taking place. However, I saw in the permit statement that you are only allowing 172.19.1.0/24 to get translated with this command

access-list 7 permit 172.19.1.0 0.0.0.255

while you have ip address 172.19.1.1 255.255.0.0 on the G0/0.10 interface.

For instance, this IP 172.19.1.62 is able to get out to the internet according to your NAT table.

jerry.mcrae · ‎09-08-2006

i'll test and post results later this weekend.

thanks.

jerry.mcrae · ‎09-11-2006

i still cant get out to the net. i'm sure nat is working so i think it's an ACL now.

my router has these ACL configed:

sh access-lists

Standard IP access list 7

10 permit 172.19.1.0, wildcard bits 0.0.0.255

20 permit 10.10.0.0, wildcard bits 0.0.255.255

Extended IP access list 102

10 permit udp any any range 16384 37276

Extended IP access list 103

10 permit tcp any eq 1720 any

20 permit tcp any any eq 1720

Extended IP access list 150

10 permit tcp any any eq www (720 matches)

thanks