Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1896
Views
10
Helpful
5
Replies

NAT translation perform before check inside ACL when Reflexive ACL active

aldrabkin
Level 1
Level 1

‎11-20-2015 11:47 AM - edited ‎03-05-2019 02:47 AM

Hi all !

I'm looking for help with a strange problem with NAT and RACL. I have a router Cisco 2951 15.5(3)M IOS with LAN and WAN interfaces.

There is one inbound ACL "INTERNET" on LAN inteface with rules that permit and deny some traffic from local net to Internet. For example, network 192.168.10.0 is allowed to connect to some external ip address on port 670.

WAN interface has two ACLs: outbound ACL "FROM_LAN" - permit ip any any reflect to_INET timeout 300

                                                 inbound ACL "acl_WAN_in"- permit ssh to router, permit icmp, permit ntp, evaluate to_INET and deny ip any any log

So network 192.168.10.0 can not connect to external ip on port 670. In show logging i can see something like that: access-list INTERNET deny ROUTER_WAN_IP to external_ip port 670. It seems that the nat translation is perfomed before inbound ACL checking, but this contradicts cisco order of opertaions. I can solve my problem in several ways:

1) Delete ACL "INTERNET"

2) Add rule fo ACL "INTERNET": permit ip host ROUTER_WAN_IP host external_ip 

3) Delete Reflexive ACL "to_INET"

But i don't want do this, i think my initial configuration should work but it doesnt. I'm really confused. Can anyone help me ? Thanks in advance !

1 person had this problem
Labels:
5 Replies 5

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-20-2015 12:07 PM

Hello,

You need to allow public ip used in NAT on inbound ACL  on WAN for return traffic. First Inbound ACL on WAN then translation of public ip to internal ip

Masoud

0 Helpful

aldrabkin
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-25-2015 11:52 PM

Hi, all ! Thx for your answers. I've tried domain-less nat and i allowed public ip used in NAT on inbound ACL, but nothing worked.

I think it is not NAT problem, it is about Reflexive ACL. When RACL is on WAN router interface then ACL "INTERNET" (on internal router interface) block traffic going from inside to outside and at the same time source ip address is router's WAN interface address.

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-20-2015 01:27 PM

Adding to my previous comment

ACL is stateless so you need to consider return traffic as well.

1- Traffic from inside to outside.

  A: First inbound ACL on LAN interface, then NAT so you need to permit 192.168.10.0 as  source  in your ACL

  B: Source NAT, then outbound ACL on WAN. You need to permit public IP used in NAT as source in your ACL ( it is any any in your case)

2- Traffic from outside to inside

 A: First inbound ACL on WAN, you need to permit public IP used in NAT as destination in your ACL

 B: Destination NAT, then outbound ACL on LAN interface. You need to permit 192.168.10.0 as destination in your ACL ( You do not have this ACL, so forget it)

Hope it helps,

Masoud

0 Helpful

paul driver
VIP
VIP

‎11-20-2015 03:52 PM

Hello

Have you tried using domain-less nat to accomplish this..

https://supportforums.cisco.com/discussion/12236031/how-can-i-get-work-nat

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

aldrabkin
Level 1
Level 1

‎01-25-2016 05:18 AM

The problem solved by downgrade to 15.4.3 IOS.

Thanks for help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card