Solved: IR9300 Issue on extended access-list

dim_ing · ‎09-26-2024

Hello,

I have the below access-list that when working I have Internet connectivity on 10.252.92.1 host, but when I move 21 below the deny commands I cannot, it is like it is rejecting the permit. Could anyone help me why? To me it seems like a bug but ok maybe something I do not get

Extended IP access list global-mgmt-nat-acl-wan-2
21 permit ip host 10.252.92.1 any (22 matches)
22 deny ip 10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255 (19 matches)
23 deny ip 10.252.92.0 0.0.0.255 10.20.60.0 0.0.0.255 (19 matches)
24 deny ip 10.253.92.0 0.0.0.255 10.66.32.0 0.0.0.255
30 deny ip 10.248.92.0 0.0.0.255 10.66.32.0 0.0.0.255
33 deny ip 10.248.92.0 0.0.0.255 10.20.60.0 0.0.0.255
34 deny ip 10.248.92.0 0.0.0.255 10.20.80.0 0.0.0.255
35 deny ip 10.248.92.0 0.0.0.255 10.20.50.0 0.0.0.255
40 permit ip host 10.252.92.254 any (44 matches)
50 permit ip host 10.252.92.247 any

When I put it below the deny rules I do not have internet at all

Extended IP access list global-mgmt-nat-acl-wan-2
22 deny ip 10.252.92.0 0.0.0.255 10.20.80.0 0.0.0.255 (31 matches)
23 deny ip 10.252.92.0 0.0.0.255 10.20.60.0 0.0.0.255 (31 matches)
24 deny ip 10.253.92.0 0.0.0.255 10.66.32.0 0.0.0.255
30 deny ip 10.248.92.0 0.0.0.255 10.66.32.0 0.0.0.255
33 deny ip 10.248.92.0 0.0.0.255 10.20.60.0 0.0.0.255
34 deny ip 10.248.92.0 0.0.0.255 10.20.80.0 0.0.0.255
35 deny ip 10.248.92.0 0.0.0.255 10.20.50.0 0.0.0.255
36 permit ip host 10.252.92.1 any
40 permit ip host 10.252.92.254 any (86 matches)

Also I do not get why the host .254 which is the default gateway of .1 has internet on both cases.

MHM Cisco World · ‎09-27-2024

Dont waste your time

Open TAC it platform issue

I use deny in acl of NAT for VPN and it work

This platform maybe face some issue

Try upgrading if not solve issue open TAC

MHM

View solution in original post

MHM Cisco World · ‎09-26-2024

Why GW have internet because any traffic generate from devices itself not effect by ACL

Why move down the permit make host dont have internet I think because one of other subnet is for dns so host can not connect to dns server

MHM

dim_ing · ‎09-26-2024

Ok but any idea why the same access list works in a Router and not on a Layer 3 switch?

MHM Cisco World · ‎09-26-2024

It can router run local dns server and in SW you use external or internal dns server

MHM

paul driver · ‎09-26-2024

Hello
The access-list control entry's (aces)in the access-list (acl) are read from top to bottom as such that specific permit host ace 31 works when its read before the more summerised deny aces for the same 10.252.92.x so when you resequence it to be after the deny aces for 10.252.92,x , your traffic is being matched on the denys .

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dim_ing · ‎09-26-2024

Hello but that's the point I want the vlan 10.252.92.0 to be denied towards the first rules and just allow the rest connectivity which is the Internet connectivity. This is I do not get and also why the .254 host does not face the same issue

MHM Cisco World · ‎09-26-2024

One simple trick

Do

Ping google.com

Ping 8.8.8.8

If ping 8.8.8.8 success and ping google.com then issue with dns.

Note:- check if host have IP in correct subnet

MHM

dim_ing · ‎09-26-2024

I managed to test it as much simpler I good with below config

interface GigabitEthernet1/0/2
description ETH-2 WAN_2 port (NSCSP)
switchport access vlan 103
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/6
switchport access vlan 199

interface Vlan1
no ip address
shutdown
!
interface Vlan13
no ip address
!
interface Vlan103
ip address dhcp
ip nat outside
!
interface Vlan199
ip address 10.252.92.254 255.255.255.0
ip nat inside
no autostate
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan103 dhcp
ip ssh bulk-mode 131072
!
ip nat inside source list test interface Vlan103 overload
!
ip access-list extended tes
ip access-list extended test
5 deny ip 10.252.92.0 0.0.0.255 host 10.66.32.40
10 permit ip 10.252.92.0 0.0.0.255 any
And when I put the number 5 line I lose internet connectivity. It is like the access-list does not take into account line number 10.
the host is denied is something random. nothing configured on that IP. If I remove line number 5 I have again internet.
I do not get it.

MHM Cisco World · ‎09-26-2024

What this IP 10.66.32.40?

MHM

dim_ing · ‎09-26-2024

Nothing a random ip to check that extended access list does not work properly.. Whatever host i try to deny on this line.. The permit to any is not working..to me looks like a bug

MHM Cisco World · ‎09-26-2024

I think you are totally correct'

The list of NAT support extended acl

Open TAC with cisco sure they will answer you if it old or new bug.

Good job friend

MHM

Hamed Fazel · ‎09-26-2024

If the deny statement is added in NAT ACL, it might prevent NAT from working properly for all other traffic because of how the ACL processes the deny first.

Even though line 10 allows all other traffic (permit ip 10.252.92.0 0.0.0.255 any), there might be an issue where NAT does not handle the ACL correctly after encountering a deny rule. The access list processing could stop at the first deny rule, causing subsequent permit rules to be ignored or not properly applied to NAT.

solution:

If you only want to deny traffic to 10.66.32.40 but want the internet to work, consider applying the ACL differently, perhaps on the interface or as a route-map rather than using it directly for NAT.

paul driver · ‎09-26-2024

Hello
You didn’t not mention it was a NAT acl -
knowing provides a better understanding -

so to clarify 10.20.92.x is the subnet you wish to nat?
all the other subnets in that acl 10.x.x reside on the outside of your nat domain correct
Meaning they have to transit the same outside nat interface that you 10.252.92.x is routing ?

post output
sh ip int brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dim_ing · ‎09-26-2024

Yes in the current switch only 2 vlans exist 103 and 199...i just put the deny to prove that extended access list does not work as expected

paul driver · ‎09-27-2024

Hello
When you say "internet" Is this a real switch with connection to the internet and production networks or just a lab simulation?
what is the dhcp allocated ip range your outside interface is receiving from vlan 103?

Can you you post a topology of this?
also
sh ip int brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul