06-30-2016 01:31 PM - edited 03-05-2019 04:20 AM
I'm trying to troubleshoot a problem with accessing a server behind NAT on a Cisco 7204 with NPE-G1 and IOS 12.4
I have access-lists permitting traffic with the IP I'm interested in and log-input.
I have those applied to all interfaces, inside and out, and the inside interface ACL's have the internal IP of interest.
I have traffic being logged upstream from a similar router with similar ACL's, but nothing from this router doing NAT.
it's like the packets are not triggering the ACL's to log their traversal.
What am I missing? Is there another way to log these packets to make sure they are flowing in and out of this device?
Thanks,
Chuck
7204 config
interface GigabitEthernet0/1
description Outside public ethernet interface
ip access-group 113 in
ip access-group 114 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
rate-limit input access-group 185 60000000 1500000 3000000 conform-action continue exceed-action drop
rate-limit output access-group 185 60000000 1500000 3000000 conform-action continue exceed-action drop
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
description Inside private ethernet
ip access-group 134 in
no ip redirects
no ip proxy-arp
ip flow ingress
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 EIGRPkey
ip nat inside
ip virtual-reassembly
ip policy route-map WLAN
duplex auto
speed auto
media-type rj45
no negotiation auto
!
access-list 113 permit tcp any host 6.9.6.242 eq 443 log-input ACL-tag
access-list 113 permit tcp host 6.9.6.242 any eq 443 log-input ACL-tag
access-list 113 permit ip any any
access-list 114 permit tcp any host 6.9.6.242 eq 443 log-input ACL-tag
access-list 114 permit tcp host 6.9.6.242 any eq 443 log-input ACL-tag
access-list 114 permit ip any any
access-list 134 permit tcp host 10.0.1.139 any eq 443 log-input ACL-tag
access-list 134 permit tcp any host 10.0.1.139 eq 443 log-input ACL-tag
access-list 134 permit ip any any
ip nat pool test1 6.9.6.242 6.9.6.242 netmask 255.255.255.248
ip nat inside source list 14 pool test1 overload
ip nat inside source static tcp 10.0.1.139 443 6.9.6.242 443 extendable
access-list 14 remark test1 pool
access-list 14 permit 10.0.1.139
06-30-2016 02:25 PM
Hi
You're not getting any logs because they are passing through the permit ip any any.
You are missing on ACL 114
access-list permit tcp hos 6.9.6.242 eq 443 any
You are missing on ACL 134
access-list 134 permit tcp host 10.0.1.139 eq 443 any
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide