09-26-2024 05:23 AM
Hello,
I have the below access-list that when working I have Internet connectivity on 10.252.92.1 host, but when I move 21 below the deny commands I cannot, it is like it is rejecting the permit. Could anyone help me why? To me it seems like a bug but ok maybe something I do not get
Extended IP access list global-mgmt-nat-acl-wan-2
21 permit ip host 10.252.92.1 any (22 matches)
22 deny ip 10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255 (19 matches)
23 deny ip 10.252.92.0 0.0.0.255 10.20.60.0 0.0.0.255 (19 matches)
24 deny ip 10.253.92.0 0.0.0.255 10.66.32.0 0.0.0.255
30 deny ip 10.248.92.0 0.0.0.255 10.66.32.0 0.0.0.255
33 deny ip 10.248.92.0 0.0.0.255 10.20.60.0 0.0.0.255
34 deny ip 10.248.92.0 0.0.0.255 10.20.80.0 0.0.0.255
35 deny ip 10.248.92.0 0.0.0.255 10.20.50.0 0.0.0.255
40 permit ip host 10.252.92.254 any (44 matches)
50 permit ip host 10.252.92.247 any
When I put it below the deny rules I do not have internet at all
Extended IP access list global-mgmt-nat-acl-wan-2
22 deny ip 10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255 (31 matches)
23 deny ip 10.252.92.0 0.0.0.255 10.20.60.0 0.0.0.255 (31 matches)
24 deny ip 10.253.92.0 0.0.0.255 10.66.32.0 0.0.0.255
30 deny ip 10.248.92.0 0.0.0.255 10.66.32.0 0.0.0.255
33 deny ip 10.248.92.0 0.0.0.255 10.20.60.0 0.0.0.255
34 deny ip 10.248.92.0 0.0.0.255 10.20.80.0 0.0.0.255
35 deny ip 10.248.92.0 0.0.0.255 10.20.50.0 0.0.0.255
36 permit ip host 10.252.92.1 any
40 permit ip host 10.252.92.254 any (86 matches)
Also I do not get why the host .254 which is the default gateway of .1 has internet on both cases.
Solved! Go to Solution.
09-27-2024 02:48 AM
Dont waste your time
Open TAC it platform issue
I use deny in acl of NAT for VPN and it work
This platform maybe face some issue
Try upgrading if not solve issue open TAC
MHM
09-26-2024 05:28 AM - edited 09-26-2024 06:42 AM
Why GW have internet because any traffic generate from devices itself not effect by ACL
Why move down the permit make host dont have internet I think because one of other subnet is for dns so host can not connect to dns server
MHM
09-26-2024 05:39 AM
Ok but any idea why the same access list works in a Router and not on a Layer 3 switch?
09-26-2024 05:43 AM - edited 09-26-2024 06:41 AM
It can router run local dns server and in SW you use external or internal dns server
MHM
09-26-2024 06:00 AM
Hello
The access-list control entry's (aces)in the access-list (acl) are read from top to bottom as such that specific permit host ace 31 works when its read before the more summerised deny aces for the same 10.252.92.x so when you resequence it to be after the deny aces for 10.252.92,x , your traffic is being matched on the denys .
09-26-2024 06:05 AM
Hello but that's the point I want the vlan 10.252.92.0 to be denied towards the first rules and just allow the rest connectivity which is the Internet connectivity. This is I do not get and also why the .254 host does not face the same issue
09-26-2024 07:45 AM
One simple trick
Do
Ping google.com
Ping 8.8.8.8
If ping 8.8.8.8 success and ping google.com then issue with dns.
Note:- check if host have IP in correct subnet
MHM
09-26-2024 07:55 AM
I managed to test it as much simpler I good with below config
interface GigabitEthernet1/0/2
description ETH-2 WAN_2 port (NSCSP)
switchport access vlan 103
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/6
switchport access vlan 199
interface Vlan1
no ip address
shutdown
!
interface Vlan13
no ip address
!
interface Vlan103
ip address dhcp
ip nat outside
!
interface Vlan199
ip address 10.252.92.254 255.255.255.0
ip nat inside
no autostate
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan103 dhcp
ip ssh bulk-mode 131072
!
ip nat inside source list test interface Vlan103 overload
!
ip access-list extended tes
ip access-list extended test
5 deny ip 10.252.92.0 0.0.0.255 host 10.66.32.40
10 permit ip 10.252.92.0 0.0.0.255 any
And when I put the number 5 line I lose internet connectivity. It is like the access-list does not take into account line number 10.
the host is denied is something random. nothing configured on that IP. If I remove line number 5 I have again internet.
I do not get it.
09-26-2024 08:00 AM
What this IP 10.66.32.40?
MHM
09-26-2024 08:45 AM
Nothing a random ip to check that extended access list does not work properly.. Whatever host i try to deny on this line.. The permit to any is not working..to me looks like a bug
09-26-2024 08:49 AM
I think you are totally correct'
The list of NAT support extended acl
Open TAC with cisco sure they will answer you if it old or new bug.
Good job friend
MHM
09-26-2024 11:49 AM
If the deny statement is added in NAT ACL, it might prevent NAT from working properly for all other traffic because of how the ACL processes the deny first.
Even though line 10 allows all other traffic (permit ip 10.252.92.0 0.0.0.255 any), there might be an issue where NAT does not handle the ACL correctly after encountering a deny rule. The access list processing could stop at the first deny rule, causing subsequent permit rules to be ignored or not properly applied to NAT.
solution:
If you only want to deny traffic to 10.66.32.40 but want the internet to work, consider applying the ACL differently, perhaps on the interface or as a route-map rather than using it directly for NAT.
09-26-2024 09:42 AM - edited 09-26-2024 09:45 AM
Hello
You didn’t not mention it was a NAT acl -
knowing provides a better understanding -
so to clarify 10.20.92.x is the subnet you wish to nat?
all the other subnets in that acl 10.x.x reside on the outside of your nat domain correct
Meaning they have to transit the same outside nat interface that you 10.252.92.x is routing ?
post output
sh ip int brief
09-26-2024 10:21 AM
Yes in the current switch only 2 vlans exist 103 and 199...i just put the deny to prove that extended access list does not work as expected
09-27-2024 12:00 AM
Hello
When you say "internet" Is this a real switch with connection to the internet and production networks or just a lab simulation?
what is the dhcp allocated ip range your outside interface is receiving from vlan 103?
Can you you post a topology of this?
also
sh ip int brief
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide