cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1331
Views
1
Helpful
7
Replies

ACLs for NAT and blocking outgoing WAN traffic

bakerjw
Level 1
Level 1

Many thanks to the community for tolerating some of my questions and helping me learn more about Cisco routers. Recently, a user helped me to get NAT running on our router using a single IP address on

GigbitEthernet0/0/0

to a corporate network. For access to the NAT. we use an ACL to permit specific IP ranges to use the NAT. It works as expected. Great!

What I did not expect to encounter was IP ranges that do not use NAT are sending their private IP address through the port that is connected to a corporate network. I really want to block this traffic.

The ACL for allowing subnets to use NAT is NAT_Access
I also created an ACL named

Deny_Firewall_Access

for blocking access out the

GigabitEthernet0/0/0

port.

For testing, I have

192.168.12.0/24

configured for NAT and

192.168.8.0/24

configured to not use NAT.

The pertinent sections of our running configuration is as shown here.
!

interface GigabitEthernet0/0/0
ip address 123.123.123.27 255.255.255.0
ip nat outside
negotiation auto
spanning-tree portfast disable
!
!
interface Vlan108
ip address 192.168.8.1 255.255.255.0
ip helper-address 192.168.0.3
!
interface Vlan112
ip address 192.168.12.1 255.255.255.0
ip helper-address 192.168.0.3
ip nat inside
!
!
ip default-gateway 123.123.123.1
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
!
ip nat pool NAT_Pool 123.123.123.27 123.123.123.27 prefix-length 24
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list NAT_Access pool NAT_Pool overload
!
ip access-list extended Deny_Firewall_Access
10 deny ip 192.168.8.0 0.0.0.255 any
20 permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_Access
10 permit ip 192.168.12.0 0.0.0.255 any
20 deny ip 192.168.8.0 0.0.0.255 any   <--- Not really needed as I have seen
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!

I did try using the 

Deny_Firewall_Access ACL

to block access out the

GigabitEthernet0/0/0

port with this configuration but it interfered with NAT.

!
interface GigabitEthernet0/0/0
ip address 161.218.133.27 255.255.255.0
ip nat outside
ip access-group Deny_Firewall_Access out
negotiation auto
spanning-tree portfast disable

I assume that I am missing some concept or running down the wrong rabbit hole. 
Guidance is appreciated.

1 Accepted Solution

Accepted Solutions

Hello


@bakerjw wrote:

What I did not expect to encounter was IP ranges that do not use NAT are sending their private IP address through the port that is connected to a corporate network. I really want to block this traffi


Nat is primarily used to "hide" networks, as such if you do not need to hide a certain network then you can negate it from being natted as you noticed in your testing

example:

ip access-list extended NAT_Access
10 deny ip 192.168.8.0 0.0.0.255 any <this will not nat and allow traffic from this subnet to be routed normally) 
20 permit ip 192.168.12.0 0.0.0.255 any

So If you wish for the network not to be natted also not to be routed, then just do not advertise it externally

Lastly looking at your configuration, you seem to have added additional

nat/route-map

statements that do not related to any acl, plus you need a

default route

and not an

ip default-gateway

, and you show two different wan ip addressing for the same interface?


route-map track-primary-if permit 1
match ip address 197 < no acl 197 exists?
set interface GigabitEthernet0/0/0

no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload < not required

interface GigabitEthernet0/0/0
ip address 161.218.133.27 255.255.255.0  < ???

interface GigabitEthernet0/0/0
ip address 123.123.123.27 255.255.255.0  < ???

no ip default-gateway 123.123.123.1 
ip route 0.0.0.0 0.0.0.0 gigabitEthernet0/0/0 123.123.123.1 (or)  161.218.133.x

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Sorry dont get what you want here.

Which prefix you dont want to NATing ?

bakerjw
Level 1
Level 1

We want

192.168.12.0/24 to NAT out GigabitEthernet0/0/0.


We want to block

192.168.8.0/24

packets from going out 

GigabitEthernet0/0/0.

Can you share

Show ip access-list

 After you

ping

from .8.0 subnet

bakerjw
Level 1
Level 1

Most certainly.
The ACL 

Deny_Firewall_Access

is in the configuration but not being used at the moment.

cisco-c1111-8p-01#show ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list Deny_Firewall_Access
10 deny ip 192.168.8.0 0.0.0.255 any (7 matches)
20 permit ip 192.168.12.0 0.0.0.255 any (60 matches)
Extended IP access list NAT_Access
10 permit ip 192.168.6.0 0.0.0.255 any
20 permit ip 192.168.7.0 0.0.0.255 any
30 permit ip 192.168.9.0 0.0.0.255 any
40 permit ip 192.168.12.0 0.0.0.255 any
50 permit ip 192.168.100.0 0.0.0.255 any
60 permit ip 192.168.101.0 0.0.0.255 any
70 permit ip 192.168.104.0 0.0.0.255 any
80 permit ip 192.168.105.0 0.0.0.255 any
90 permit ip 192.168.255.0 0.0.0.255 any
100 deny ip 192.168.8.0 0.0.0.255 any
Extended IP access list meraki-fqdn-dns

10 deny ip 192.168.8.0 0.0.0.255

any (7 matches)

This 7 matches meaning acl is work 

But to be more sure add log to each line and check the log message appear when

ping

from .8.0 subnet 

Hello


@bakerjw wrote:

What I did not expect to encounter was IP ranges that do not use NAT are sending their private IP address through the port that is connected to a corporate network. I really want to block this traffi


Nat is primarily used to "hide" networks, as such if you do not need to hide a certain network then you can negate it from being natted as you noticed in your testing

example:

ip access-list extended NAT_Access
10 deny ip 192.168.8.0 0.0.0.255 any <this will not nat and allow traffic from this subnet to be routed normally) 
20 permit ip 192.168.12.0 0.0.0.255 any

So If you wish for the network not to be natted also not to be routed, then just do not advertise it externally

Lastly looking at your configuration, you seem to have added additional

nat/route-map

statements that do not related to any acl, plus you need a

default route

and not an

ip default-gateway

, and you show two different wan ip addressing for the same interface?


route-map track-primary-if permit 1
match ip address 197 < no acl 197 exists?
set interface GigabitEthernet0/0/0

no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload < not required

interface GigabitEthernet0/0/0
ip address 161.218.133.27 255.255.255.0  < ???

interface GigabitEthernet0/0/0
ip address 123.123.123.27 255.255.255.0  < ???

no ip default-gateway 123.123.123.1 
ip route 0.0.0.0 0.0.0.0 gigabitEthernet0/0/0 123.123.123.1 (or)  161.218.133.x

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Once again, Paul. You have been quite helpful. 

These statements that you mentioned were added by web interface wizards and have been removed. Sometimes newbies are at the mercy of a GUI until we know better. 


@paul driver wrote:

Lastly looking at your configuration, you seem to have added additional

nat/route-map

statements that do not related to any acl, plus you need a

default route

and not an

ip default-gateway

, and you show two different wan ip addressing for the same interface?

route-map track-primary-if permit 1 
match ip address 197 < no acl 197 exists?
set interface GigabitEthernet0/0/0

no ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload < not required
Review Cisco Networking for a $25 gift card