NAT access-list deny entry being skipped

a.banta01 · ‎03-22-2025

Having some issues and super frustrated. Been searching the web for last four hours trying to figure out why.

Set up a router with two networks. Added NAT everything works as expected. All traffic is NAT’d

Net A ------ Gi0-Router-Gi1------- Net B, Internet

Gi0/0/0 is nat inside

Gi0/0/1 is nat outside

Traffic to the internet works fine, NAT is great. Problem is, if Net A communicates with a host on Net B, the address is NAT’d – Hosts on Net B need to access internal network of Net A, but the return traffic is now NAT’d.

One would think throw on a NoNAT, simple deny entry before the permit in the ACL – and for whatever reason… it doesn’t work.

interface GigabitEthernet0/0/0

ip address 10.1.32.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0/1

ip address 192.168.0.1 255.255.255.0

ip nat outside

!

ip nat inside source list 101 pool NETBPool

!

ip nat pool NETBPool 192.168.0.10 192.168.0.254 netmask 255.255.255.0

!

ip access-list extended 101

deny ip 10.1.32.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 10.1.32.0 0.0.0.255 any

!

If 10.1.32.11 tries to ping 192.168.0.3, the ping goes through, and is NAT’d to an IP in the pool (.10, .16, etc). It looks like the deny entry in ACL 101 is being skipped and the permit entry is being used.

lab-r1#sh ip nat trans | i 32.11.*0.3

icmp 192.168.0.11:1 10.1.32.11:1 192.168.0.3:1 192.168.0.3:1

I've gone as far as using exact host addresses for 10.1.32.11 and 192.168.0.3 on the deny entry, and the issue persists. As long as there is a permit rule after a deny, the deny is ignored.

lab-r1#sh access-li 101
Extended IP access list 101
10 deny ip host 10.1.32.11 host 192.168.0.3
15 deny ip any host 192.168.0.3
20 permit ip any any
lab-r1#sh ip nat trans | i icmp
icmp 192.168.0.11:1 10.1.32.11:1 192.168.0.3:1 192.168.0.3:1
lab-r1#

Can anyone provide any insight or Cisco documentation on why NAT is ignoring a deny entry?

ISR4321
03.16.04b.S - Yeah I know, its a lab

sdroy · ‎03-23-2025

n Cisco NAT configurations, the ACL used for NAT is evaluated differently than a standard ACL applied to an interface. Specifically, NAT ACLs are used to define which traffic should be translated, and the deny statements in these ACLs do not block traffic—they simply exclude it from being NAT'd. This means that even though your ACL has a deny entry, the traffic is still allowed to pass through the router; it just bypasses NAT translation.
To resolve this, you may need to implement a separate ACL on the interface to explicitly block the traffic you want to deny. Alternatively, you could use route maps with NAT to gain more granular control over the traffic. For more detailed guidance, you can refer to Cisco's documentation on NAT and ACL behavior, such as
https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/sec-data-acl/17-1-1/b-sec-data-acl-xe-17-1-asr920/b-sec-data-acl-xe-17-1-asr920_chapter_00.html

Shuvodip Roy

a.banta01 · ‎03-24-2025

Correct - the ACL in this case is not for allowing or denying traffic - only as a traffic eligibility selection for NAT.

The problem is, the deny entry is NOT bypassing NAT.

paul driver · ‎03-24-2025

Hello

@a.banta01 wrote:

ab-r1#sh access-li 101
lab-r1#sh ip nat trans | i icmp
icmp 192.168.0.11:1 10.1.32.11:1 192.168.0.3:1 192.168.0.3:1
lab-r1#

Traffic to the internet works fine,
Hosts on Net B need to access internal network of Net A, but the return traffic is now NAT’

When using NAT the external network in most use cases is not even aware of the network being translated, so in your scenario 10.1.32.x/24 is the hidden from 192.168.0.x/24

So of you do not wish to NAT on a certain inside host then the external networks will need to be aware and able to reach that inside NON translated host, but the problem you have is you have hosts on a directly connected "outside" network you wish not to be natted but you are using that same network for translation.

Note you can NAT on ANY network as long as its reachable externally AND its originates from you own rtr also the nat acl needs NOT to include an "any any" statement.

Example1:

lab-r1
access-list 101 deny ip host 10.1.31.11 any
access-list 101 permit ip 10.1.31.0 0.0.0.255 any

external rtr
ip route 10.1.31.11 255.255.255.255 x/x 192.168.0.1

Example2:

lab-r1
no ip nat pool NETBPool
ip nat pool NETBPool 172.16.0.10 172.16.0.254 netmask 255.255.255.0

access-list 101 deny ip host 10.1.31.11 any
access-list 101 permit ip 10.1.31.0 0.0.0.255 any

external rtr
ip route 172.16.0.0 255.255.255.0 x/x 192.168.0.1
ip route 10.1.31.11 255.255.255.255 x/x 192.168.0.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

a.banta01 · ‎03-24-2025

With the experienced problem, neither example will work - the router is ignoring the deny entry and still applying NAT, that is the issue.

If the router would follow the ACL in the current setup or either example I see no issues, but therin lies the problem.

paul driver · ‎03-25-2025

Hello

@a.banta01 wrote:
With the experienced problem, neither example will work - the router is ignoring the deny entry and still applying NAT, that is the issue.

Well here the problem , either solution i submitted should work unless you are not sharing all the information on your OP.

Post a simple topology diagram showing what you are trying to accomplish, maybe it will show why those examples are not working

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

a.banta01 · ‎03-28-2025

The third line on the post was a simple text diagram. I'll try to create an image and upload it.

My point on your solutions not working - and I'll try to be concise:

The router is ignoring ACL deny entries for NAT. Your solutions use ACL deny entries. The router will ignore those. That issue is the entire purpose of the post.

lab-r1#sh access-li 101
Extended IP access list 101
10 deny ip host 10.1.32.11 host 192.168.0.3 <-------------- Deny rule in ACL for NAT, first entry in ACL

The ACL above used in NAT is supposed to deny NAT from being performed (No-NAT) for traffic sourced from 10.1.32.11 destined to 192.168.0.3 - and its not working:

lab-r1#sh ip nat trans | i 32.11.*0.3

icmp 192.168.0.11:1 10.1.32.11:1 192.168.0.3:1 192.168.0.3:1 <-------- Router ignores deny rule, and still performs NAT

balaji.bandi · ‎03-29-2025

In your use case,

1. why not DSL router does all NAT stuff, Let Leave the Router act as a router

2. other option @paul driver suggested same way below similar :

DSL Router you need route back to 10.1.32.0/24 towards 192.168.0.1

on the Router

ip nat inside source list 100 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.2
!
!
!
access-list 100 deny ip 10.1.32.0 0.0.0.255 host 192.168.0.3
access-list 100 permit ip 10.1.32.0 0.0.0.255 any

Other think i can think until we hitting any bug on that code.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

a.banta01 · ‎03-30-2025

In the home lab, the DSL router is a simple router provided by the ISP which is locked down and cannot do routing, which is why the lab-r1 has to NAT anything behind it.

Again, the router is ignoring deny entries

access-list 100 deny ip 10.1.32.0 0.0.0.255 host 192.168.0.3

is a deny entry and will be ignored by the router.

I upgraded from 03.16.04b.S to 16.9.8 and the issue persists.

balaji.bandi · ‎03-31-2025

I have the same version of the code Router CSR in the Lab, and it works as expected with the routing back from the DSL router.

since you have no access to DSL router, we may need to think different way. since DSL router or PC not aware 10.1.320 network and it will send out.

For testing :

on the PC 192.168.200.3

can you add route 10.1.32.0/24 towards 192.168.200.1 and test it

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

a.banta01 · ‎03-31-2025

Issue persists. The router is still changing the IPs of 10.1.32.0/24 despite the NAT ACL Denies

balaji.bandi · ‎04-01-2025

For testing :

on the PC 192.168.0.3 

can you add route  10.1.32.0/24 towards 192.168.0.1  and test it

as per we know we are trying only 1 host that is 192.168.0.3(my correction i was mentioned 192.168.200.3)

Now we see Lot of IP NAT entries here on your list, how many interface you have ?

simple test to prove use 1 of the PC and test it as below :

ip nat inside source list 100 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.2
!
access-list 100 deny ip 10.1.32.0 0.0.0.255 host 192.168.0.3
access-list 100 permit ip 10.1.32.0 0.0.0.255 any

On the PC 192.168.0.3 add on Windows route

route add 10.1.32.0 mask 255.255.255.0 1192.168.0.1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎03-29-2025

Try

1- Remove ip nat outside from interface

2- Clear ip nat translate

3- add ip nat outside to interface again

Then check again

MHM

a.banta01 · ‎03-30-2025

Tried those steps, issue persists. For whatever reason, the router is ignoring NAT deny ACL entries.

MHM Cisco World · ‎03-31-2025

Do show Ip access list,

it can the order you add deny is come after permit.

Share output here

Also share

Debug ip nat

MHM