Solved: Re: HELP with ACL and PAT - Page 2

andrzejsewerynwojcik · ‎03-06-2020

Good Evening all I need help. Im trying to deny Manchester site from talking to ISP disable PAT on its addreses. The site itself can still talk to Cambridge and London but not ISP. of course it can bar done by not defining default route on Manchester router but it needs to be done using acl I tried lots of option. please see the graph and full network settings:

andrzejsewerynwojcik · ‎03-07-2020

its the same on that file, you can ping between sites but not the ISP from Cambridge or London. ISP itself can ping them but they can't ping ISP. show ip nat stats only shows misses and pings are timing out from the cambirsge hosts

Georg Pauwen · ‎03-07-2020

Hello,

I'll have a look...

Georg Pauwen · ‎03-07-2020

Hello,

my bad, I forgot to add the last two lines in the access list (marked in bold). Add these to your access list and test again (best to just copy and paste the access list below, so the right order is preserved...).

access-list 101 deny icmp 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 permit ip any any
access-list 101 permit icmp any any

andrzejsewerynwojcik · ‎03-07-2020

now pings from all sites works including London and translation works correctly only for London and Cambridge in case of Manchester when it should not be translated at both misses and hits are increased each time

CambridgeR#show ip nat stat

CambridgeR#show ip nat statistics

Total translations: 7 (0 static, 7 dynamic, 7 extended)

Outside Interfaces: GigabitEthernet0/1

Inside Interfaces: Serial0/0/0 , Serial0/0/1 , GigabitEthernet0/0.10 , GigabitEthernet0/0.20 , GigabitEthernet0/0.30

Hits: 8 Misses: 25

Expired translations: 10

Dynamic mappings:

CambridgeR#show ip nat statistics

Total translations: 8 (0 static, 8 dynamic, 8 extended)

Outside Interfaces: GigabitEthernet0/1

Inside Interfaces: Serial0/0/0 , Serial0/0/1 , GigabitEthernet0/0.10 , GigabitEthernet0/0.20 , GigabitEthernet0/0.30

Hits: 12 Misses: 29

Expired translations: 13

Dynamic mappings:

CambridgeR#show ip nat statistics

Total translations: 12 (0 static, 12 dynamic, 12 extended)

Outside Interfaces: GigabitEthernet0/1

Inside Interfaces: Serial0/0/0 , Serial0/0/1 , GigabitEthernet0/0.10 , GigabitEthernet0/0.20 , GigabitEthernet0/0.30

Hits: 16 Misses: 33

Expired translations: 13

Dynamic mappings:

CambridgeR#

Georg Pauwen · ‎03-07-2020

Hello,

apply the access list outbound:

interface GigabitEthernet0/1

ip access-group 101 out

Not sure why, seems to be another quirk in Packet Tracer...

andrzejsewerynwojcik · ‎03-07-2020

when its on the outbound interface g0/1 all sites can talk to ISP :(

andrzejsewerynwojcik · ‎03-08-2020

good Morning any idea what is causing the problem?

andrzejsewerynwojcik · ‎03-07-2020

everything needs to work the way it can talk to each other apart from Manchester talking to ISP and vice versa and it has to be done by implementing ACL

Georg Pauwen · ‎03-08-2020

Hello,

apply the access list both inbound and outbound. I am pretty sure this is a bug in Packet Tracer...

access-list 101 deny icmp 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 permit ip any any
access-list 101 permit icmp any any

!

interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip access-group 101 in
ip access-group 101 out
ip nat outside
duplex auto
speed auto

andrzejsewerynwojcik · ‎03-08-2020

still the same have you tested that on your pkg? Manchester can still talk

Georg Pauwen · ‎03-08-2020

Hello,

I changed the access list again, seems to work now and is blocking Manchester:

CambridgeR#sh run
Building configuration...

Current configuration : 2866 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CambridgeR
!
ip dhcp excluded-address 192.168.18.1
ip dhcp excluded-address 192.168.19.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool Support
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
ip dhcp pool ExternalSales
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
ip dhcp pool Finance
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524N3GZ-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.18.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.19.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.1.2 255.255.255.252
ip nat inside
!
interface Serial0/0/1
ip address 172.16.3.1 255.255.255.252
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 192.168.18.0 0.0.0.255 area 0
network 192.168.19.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
network 172.16.3.0 0.0.0.3 area 0
network 172.16.10.0 0.0.0.3 area 0
network 200.0.113.0 0.0.0.15 area 0
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip classless
!
ip flow-export version 9
!
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.1.255
access-list 1 permit 192.168.14.0 0.0.1.255
access-list 1 permit 192.168.16.0 0.0.1.255

!
access-list 101 deny icmp 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 200.0.113.0 0.0.0.15 192.168.0.0 0.0.3.255
access-list 101 deny icmp 200.0.113.0 0.0.0.15 192.168.4.0 0.0.3.255
access-list 101 deny icmp 200.0.113.0 0.0.0.15 192.168.8.0 0.0.3.255
access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

CambridgeR#

andrzejsewerynwojcik · ‎03-08-2020

could you please attach pkg? does the translation work as well?

andrzejsewerynwojcik · ‎03-08-2020

for me its the same still allows ping from Manchester. Im going to try different virtualisation software

Georg Pauwen · ‎03-08-2020

Hello,

attached the new version with redundant links between the London switch and router. An ESW module has been inserted into the London router, and Vlan interfaces instead of subinterfaces have been configured.

That said, in this version, Manchester cannot talk to the ISP, but to all others. You might want to check the access lists....