NAT stops HTTP ACL's from working - Cisco Packet Tracer

dtobarl · ‎03-22-2024

Hi everyone,
I'm getting familiarized with ACLs by working with them in Cisco Packet Tracer.

I have this setup;

R-Corp has static NAT ip's for everything inside Corporativo. With this setup, I've been able to implement some ACLs to, for example, let PC_INTERNET receive emails from PC_A, using SERVER_INTERNET and DNS to resolve the name for the email server.

What's confusing me, is that when trying to connect to INTRANET_SERVER from PC_INTERNET through http (even without using the DNS; trying to connect directly for testing purposes), it stops working ONLY if the NAT translation is happening. If I don't have NAT translation, the HTTP works, even with the same ACL's (taking the translation into account to change them).

The relevant ACL's being,

access-list 100 permit icmp host 10.0.0.10 host 200.0.0.100 echo

access-list 100 permit tcp host 10.0.0.10 host 200.0.0.100 eq smtp

access-list 100 permit udp host 10.0.0.30 host 200.0.0.101 gt 1023

access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established

access-list 101 permit icmp host 200.0.0.100 host 240.200.200.11 echo-reply

access-list 101 permit tcp host 200.0.0.100 host 240.200.200.11 gt 1023

access-list 101 permit udp host 200.0.0.101 host 240.200.200.13 eq domain

access-list 101 permit icmp host 200.0.0.101 host 220.200.200.2 echo

access-list 101 permit tcp host 200.0.0.101 host 240.200.200.12 eq www

access-list 101 permit tcp host 200.0.0.101 host 10.0.0.20 eq www

(I added both 10.0.0.20 [no NAT] and 240.200.200.12 [with NAT] to test. With NAT disabled in the router, 10.0.0.20 works, without, 240.200.200.12 does not).
101 is implemented in fastEthernet 0/1, the one that's connecting to outside.

100 is implemented in fastEthernet 0/0, the one connecting to Corporativo.

I include the router config, and .pkt file. Any password needed should be cisco123.

Any help, or poiting towards the right resources to research is deeply appreciated.

Martin L · ‎03-22-2024

not sure what your goal here but , in real world, this issue of reaching INTRANET_SERVER (in your own company) from outside PC_INTERNET is how things supposed to be working; At home, I (and Cissco) cannot reach your PC but you can reach this site. in other words, u must initiate traffic to me , not other way around; I having public IP address cannot access/ping any one on Private range unless u make special 1-to-1 NAT translation or put PC/server in special DMZ. Such NAT translation reserves and maps Public IP to private IP inside you company. At home, i.e. Linksys router, u must set up special port mapping to let outside access to your internal network or PC.

I haven't look at your PT file but does static NAT mapping solve your issue?

Regards, ML
**Please Rate All Helpful Responses **

dtobarl · ‎03-22-2024

So, what I'm trying to do, is connect from PC_INTERNET to INTRANET_SERVER through HTTP (it has HTTP enabled), limiting it so that ONLY that connection (not other PC's, just PC_INTERNET) is possible through ACLs. These ACLs are:
access-list 101 permit tcp host 200.0.0.101 host 10.0.0.20 eq www
and
access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established

They work BUT only when the static NAT mapping is disabled. If I have NAT static mapping enabled (and change the ACLs, accordingly, to:
access-list 101 permit tcp host 200.0.0.101 host 240.200.200.12 eq www

and the other one staying the same, it does not work, and I have no idea why. Since it works without NAT, I think (am not sure) that the ACLs are working appropiately. That leads me to think the NAT is wrong. Problem is, another specific connection I've done is letting PC_INTERNET reach the DNS server for SMTP with SERVER_WEB. If the NAT isn't working, then that shouldn't work. But it does.

So, my biggest concern right now, is not even knowing what's wrong.
Appreciate the response.

access-list 100 permit tcp host 10.0.0.20 host 200.0.0.101 established

dtobarl · ‎03-31-2024

For anyone needing an answer, turns out it's just that for some reason, using a 240. IPv4 for the Intranet Server NAT translation messed everything up. Left everything the same alongside changing it to be 200 instead of 240 and everything worked.