05-25-2011 01:47 AM - edited 03-04-2019 12:31 PM
Hi all,
I have a problem with configuration ACL with NAT. When I remove ACL evrything is working correct. When I assing them to interface only ICMP-PING is working on computers connected to switch. It looks like packets goes to ISP and not comes back and computers have no access to Internet. Below You can find configuration of my devices. Have You any idea what is wrong?
==================== ROUTER =======================
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging console informational
enable password cisco
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 10.1.2.1 10.1.2.10
!
ip dhcp pool VLAN100
network 10.1.1.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.1.1
!
ip dhcp pool VLAN200
network 10.1.2.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.2.1
!
ip dhcp pool VLAN300
network 10.1.3.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.3.1
!
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
username cisco password 0 cisco
archive
log config
hidekeys
!
interface GigabitEthernet0/0
description INTERNET UPLINK
ip address XXX.YYY.169.250 255.255.255.248
ip access-group INCOME in
ip access-group OUTCOME out
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description VLAN 100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description VLAN 200
encapsulation dot1Q 200
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.3
description VLAN 300
encapsulation dot1Q 300
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description VLAN 1
encapsulation dot1Q 1 native
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.YYY.169.249
!
!
ip http server
no ip http secure-server
ip nat pool NAT-VLAN XXX.YYY.169.251 XXX.YYY.169.252 netmask 255.255.255.248
ip nat inside source list VLANS pool NAT-VLAN overload
ip nat inside source static 10.1.3.0 XXX.YYY.169.253
!
ip access-list extended INCOME
permit tcp any any eq www
permit tcp any any eq 443
permit udp host 194.204.152.34 any gt 1023
permit udp host 8.8.8.8 any gt 1023
permit tcp any any eq whois
permit icmp any any
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq 4443
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any eq telnet
ip access-list extended OUTCOME
permit tcp any any eq www
permit tcp any any eq 443
permit udp host 194.204.152.34 any gt 1023
permit udp host 8.8.8.8 any gt 1023
permit tcp any any eq whois
permit icmp any any
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq 4443
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any eq telnet
ip access-list extended VLANS
permit ip 10.0.0.0 0.255.255.255 any
!
logging trap debugging
!
!
control-plane
!
!
banner exec ^CC
|=======================================================================|
| WARNING |
banner motd ^CC
|=======================================================================|
WARNING
!
line con 0
password cisco
line aux 0
line vty 0 4
password cisco
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
=========================== SWITCH ===================================
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SWITCH
!
enable password cisco
!
username cisco password 0 cisco
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 100
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/4
switchport access vlan 100
!
interface FastEthernet0/5
switchport access vlan 100
!
interface FastEthernet0/6
switchport access vlan 100
!
interface FastEthernet0/7
switchport access vlan 100
!
interface FastEthernet0/8
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 100
!
interface FastEthernet0/10
switchport access vlan 100
!
interface FastEthernet0/11
switchport access vlan 100
!
interface FastEthernet0/12
switchport access vlan 100
!
interface FastEthernet0/13
switchport access vlan 100
!
interface FastEthernet0/14
switchport access vlan 100
!
interface FastEthernet0/15
switchport access vlan 100
!
interface FastEthernet0/16
switchport access vlan 100
!
interface FastEthernet0/17
switchport access vlan 100
!
interface FastEthernet0/18
switchport access vlan 100
!
interface FastEthernet0/19
switchport access vlan 100
!
interface FastEthernet0/20
switchport access vlan 100
!
interface FastEthernet0/21
switchport access vlan 100
!
interface FastEthernet0/22
switchport access vlan 100
!
interface FastEthernet0/23
switchport access vlan 100
!
interface FastEthernet0/24
switchport access vlan 100
!
interface FastEthernet0/25
switchport access vlan 200
!
interface FastEthernet0/26
switchport access vlan 200
!
interface FastEthernet0/27
switchport access vlan 200
!
interface FastEthernet0/28
switchport access vlan 200
!
interface FastEthernet0/29
switchport access vlan 200
!
interface FastEthernet0/30
switchport access vlan 200
!
interface FastEthernet0/31
switchport access vlan 200
!
interface FastEthernet0/32
switchport access vlan 200
!
interface FastEthernet0/33
switchport access vlan 200
!
interface FastEthernet0/34
switchport access vlan 200
!
interface FastEthernet0/35
switchport access vlan 200
!
interface FastEthernet0/36
switchport access vlan 200
!
interface FastEthernet0/37
switchport access vlan 200
!
interface FastEthernet0/38
switchport access vlan 200
!
interface FastEthernet0/39
switchport access vlan 200
!
interface FastEthernet0/40
switchport access vlan 200
!
interface FastEthernet0/41
switchport access vlan 200
!
interface FastEthernet0/42
switchport access vlan 200
!
interface FastEthernet0/43
switchport access vlan 200
!
interface FastEthernet0/44
switchport access vlan 200
!
interface FastEthernet0/45
switchport access vlan 200
!
interface FastEthernet0/46
switchport access vlan 200
!
interface FastEthernet0/47
switchport access vlan 200
!
interface FastEthernet0/48
switchport access vlan 200
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 300
!
interface Vlan1
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan200
ip address 10.1.2.2 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan300
ip address 10.1.3.2 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 10.10.10.1
ip http server
banner exec ^CC
|=======================================================================|
| WARNING |
| ======= |
banner motd ^CC
|=======================================================================|
| WARNING |
| --------- ======= |
!
line con 0
password cisco
line vty 0 4
password cisco
login local
transport input telnet
line vty 5 15
login
!
!
end
Solved! Go to Solution.
05-25-2011 01:51 AM
Hi,
Just think of the direction of packets.
For example , Return packets from the internet
!
ip access-list extended INCOME
permit tcp any eq www any
permit tcp any eq 443 any
!
HTH,
Toshi
05-26-2011 10:30 AM
Hi,
Sorry for my late reply. Sure you can telnet to the router. When you write ACLs you have to think of the direction of packets you're going to filter.
In router point of view the packet going out will hit ACL-OUTCOME. You may think that packets are going to the internet. In your case packets are Natted before going to outbound-acl. Let's say you allow packets going to the internet for http/https/dns services.
Source IP address : Actually it's an IP of WAN router(coz Natted) , ANY is okay
Source Port : Any numbet (should be >1023)
Destination IP address : ANY (internet ) ,
Destination Port : http/https/dns
So the ACL should be as follows:
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 80 (Destination Port)
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 443 (Destination Port)
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 53 (Destination Port)
In router point of view the packet comming in will hit ACL-INCOME. You may think that packets are comming from the internet. Let's say you allow packets comming from the internet for http/https/dns services.
F.e. Retured Packets
Source IP address : ANY (internet )
Source Port : http/https/dns
Destination IP address :Actually it's an IP of WAN router(coz Natted) , ANY is okay
Destination Port : Any numbet (should be >1023)
So the ACL should be as follows:
Permit tcp any (Source Internet-IP) eq 80 (Source Port) any (Destination Any Port)
Permit tcp any (Source Internet-IP) eq 443 (Source Port) any (Destination Any Port)
Permit tcp any (Source Internet-IP) eq 53 (Source Port) any (Destination Any Port)
HTH,
Toshi
05-25-2011 01:51 AM
Hi,
Just think of the direction of packets.
For example , Return packets from the internet
!
ip access-list extended INCOME
permit tcp any eq www any
permit tcp any eq 443 any
!
HTH,
Toshi
05-25-2011 02:27 AM
I forgot to write that I can connect with router by Telnet from internet with ACL assigned.
Toshi i never saw this kind of access list order. Always it was
Luka
05-26-2011 10:30 AM
Hi,
Sorry for my late reply. Sure you can telnet to the router. When you write ACLs you have to think of the direction of packets you're going to filter.
In router point of view the packet going out will hit ACL-OUTCOME. You may think that packets are going to the internet. In your case packets are Natted before going to outbound-acl. Let's say you allow packets going to the internet for http/https/dns services.
Source IP address : Actually it's an IP of WAN router(coz Natted) , ANY is okay
Source Port : Any numbet (should be >1023)
Destination IP address : ANY (internet ) ,
Destination Port : http/https/dns
So the ACL should be as follows:
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 80 (Destination Port)
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 443 (Destination Port)
Permit tcp any (Source IP , ANY port) any (Destination Internet-IP) eq 53 (Destination Port)
In router point of view the packet comming in will hit ACL-INCOME. You may think that packets are comming from the internet. Let's say you allow packets comming from the internet for http/https/dns services.
F.e. Retured Packets
Source IP address : ANY (internet )
Source Port : http/https/dns
Destination IP address :Actually it's an IP of WAN router(coz Natted) , ANY is okay
Destination Port : Any numbet (should be >1023)
So the ACL should be as follows:
Permit tcp any (Source Internet-IP) eq 80 (Source Port) any (Destination Any Port)
Permit tcp any (Source Internet-IP) eq 443 (Source Port) any (Destination Any Port)
Permit tcp any (Source Internet-IP) eq 53 (Source Port) any (Destination Any Port)
HTH,
Toshi
05-26-2011 12:13 PM
Toshi
Thanks very much for such detailed explanations. This improve my understanding about ACL a lot but still I have to learn a lot. I thing I looked at this problem from wrong point of view. Thanks again.
The good thing is that I start to make some changes with advices from Your first answer and I did "unprofessional" solution for my problem. I put any port rules twice. Like:
permit tcp any eq www any
permit tcp any any eq www
I did this only for my INCOME ACL assigned to ISP connection port in, and I deleted OUTCOME ACL and for now everything is working.
Now I'm going to sit down and thing about Your second post until I compleatly understand why this works and what is not needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide