Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
0
Helpful
16
Replies

NAT access-list deny entry being skipped

a.banta01
Level 1
Level 1

‎03-22-2025 06:55 PM

Having some issues and super frustrated. Been searching the web for last four hours trying to figure out why.

Set up a router with two networks. Added NAT everything works as expected. All traffic is NAT’d

Net A ------ Gi0-Router-Gi1------- Net B, Internet

Gi0/0/0 is nat inside

Gi0/0/1 is nat outside

Traffic to the internet works fine, NAT is great. Problem is, if Net A communicates with a host on Net B, the address is NAT’d – Hosts on Net B need to access internal network of Net A, but the return traffic is now NAT’d.

One would think throw on a NoNAT, simple deny entry before the permit in the ACL – and for whatever reason… it doesn’t work.

 

interface GigabitEthernet0/0/0

 ip address 10.1.32.1 255.255.255.0

 ip nat inside

!

interface GigabitEthernet0/0/1

 ip address 192.168.0.1 255.255.255.0

 ip nat outside

!

ip nat inside source list 101 pool NETBPool

!

ip nat pool NETBPool 192.168.0.10 192.168.0.254 netmask 255.255.255.0

!

ip access-list extended 101

 deny   ip 10.1.32.0 0.0.0.255 192.168.0.0 0.0.0.255

 permit ip 10.1.32.0 0.0.0.255 any

!

 

If 10.1.32.11 tries to ping 192.168.0.3, the ping goes through, and is NAT’d to an IP in the pool (.10, .16, etc). It looks like the deny entry in ACL 101 is being skipped and the permit entry is being used.

 

lab-r1#sh ip nat trans | i 32.11.*0.3

icmp 192.168.0.11:1        10.1.32.11:1          192.168.0.3:1         192.168.0.3:1

 

I've gone as far as using exact host addresses for 10.1.32.11 and 192.168.0.3 on the deny entry, and the issue persists. As long as there is a permit rule after a deny, the deny is ignored.

lab-r1#sh access-li 101
Extended IP access list 101
10 deny ip host 10.1.32.11 host 192.168.0.3
15 deny ip any host 192.168.0.3
20 permit ip any any
lab-r1#sh ip nat trans | i icmp
icmp 192.168.0.11:1 10.1.32.11:1 192.168.0.3:1 192.168.0.3:1
lab-r1#

Can anyone provide any insight or Cisco documentation on why NAT is ignoring a deny entry?

 

ISR4321
03.16.04b.S - Yeah I know, its a lab

Labels:
0 Helpful
16 Replies 16

a.banta01
Level 1
Level 1

‎03-31-2025 09:16 PM 

lab-r1#debug ip nat
% Incomplete command.

lab-r1#debug ip nat ?
  <1-99>  Access list forced
  WORD    Access list name
  ha      High Availability debugging

lab-r1#debug ip nat 101
% Invalid access list name.

lab-r1#show ip nat trans | i 32.11
---  192.168.0.107         10.1.32.11            ---                   ---
tcp  192.168.0.107:62679   10.1.32.11:62679      20.190.151.133:443    20.190.151.133:443
tcp  192.168.0.107:3389    10.1.32.11:3389       192.168.0.14:55614    192.168.0.14:55614
lab-r1#sh ip access-li
Extended IP access list 101
    5 deny ip any host 192.168.0.5
    6 deny ip any host 192.168.0.14
    10 deny ip host 10.1.32.11 host 192.168.0.14
    20 deny ip any host 192.168.0.3
    40 deny ip host 10.1.32.11 host 192.168.0.3
    50 permit ip any any
lab-r1#

I tried to redo the ACL as a named ACL, and turn on debug, but couldnt glean almost anything from it. Think I had these on:

bind, detailed, drop, limit, mapping, pool, port, session

lab-r1#debug ip nat NATACL ?
  alg       NAT ALG events
  bind      NAT dynamic translation create/delete events
  detailed  NAT detailed events for ACL based debugging
  drop      NAT Drop events
  ipsec     NAT IPSec events
  limit     NAT max-limit policy events
  mapping   NAT mapping create/delete events
  pap       NAT Paired-address-pooling events
  pool      NAT pool events
  port      NAT PORT events
  route     NAT Static route events
  session   NAT session events
  wlan-nat  WLAN NAT events
  <cr>      <cr>

As you can see - the second nat translation is from 10.1.32.11 going to 192.168.0.14, being NAT'd to 192.168.0.107, despite ACL 101 entry #6, despite ACL 101 entry #10. Its using ACL 101 entry #50

lab-r1#sh ver | i Vers
Cisco IOS XE Software, Version 16.09.08
lab-r1#sh ver | i upt
lab-r1 uptime is 1 week, 2 days, 1 hour, 2 minutes

 Here's the NAT code:

lab-r1#sh run | i nat
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat inside
 ip nat outside
no ip nat service dns tcp
no ip nat service dns udp
ip nat pool NETBPool 192.168.0.90 192.168.0.254 netmask 255.255.255.0
ip nat inside source list 101 pool NETBPool
lab-r1#

 I would think it be extremely unlikely I went through three or four versions of code, all with the exact same behavior... but ya never know.

0 Helpful

MHM Cisco World
VIP
VIP
In response to a.banta01

‎04-01-2025 02:01 AM

First use standard acl (1-99) for debug

Second 

lab-r1#show ip nat trans | i 32.11
---  192.168.0.107         10.1.32.11

This NAT appear only if you have static NAT, 

İf you don't have static NAT then try use route-map in NAT instead of using ACL

MHM

0 Helpful
Customers Also Viewed These Support Documents