02-22-2012 02:52 PM - edited 03-04-2019 03:23 PM
I have a Cisco 2650 with a simple config as follows:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MaVI_Test
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.50.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet1/0
ip address 1.1.1.2 255.255.255.248
ip nat outside
duplex auto
speed auto
!
ip nat inside source route-map internet interface FastEthernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip http server
no ip http secure-server
!
ip access-list extended internet
permit ip any any
!
!
route-map internet permit 10
match ip address internet
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password vinakom
login
!
!
end
With this config, I cannot telnet to 1.1.1.2 from outside. But when I change the access-list internet as follows:
ip access-list extended internet
no permit ip any any
permit ip 192.168.50.0 0.0.0.255 any
telnet to 1.1.1.2 works. Any reason of this behaviour. I guess it is related to NAT but cant figure out how.
Thanks
Mukundh
02-22-2012 04:16 PM
Hi,
That is the correct behavior. You should always use specific address prefix and the correct mask
(in this case 92.168.50.0 0.0.0.255) and not any any.
For more info refere to this doc:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
HTH
02-22-2012 04:24 PM
Hi Reza,
I actually saw this doc. Can you point me in this doc where there is an explanation as to why the specific address prefix should be used. I was unable to find it.
Mukundh
02-22-2012 04:44 PM
Hi,
It is long Q&A
here is that section:
A. Yes. This can be accomplished through the use of an access list describing the set of hosts or networks that require NAT. All sessions on the same host will be either translated or will pass through the router and not be translated.
Access lists, extended access lists, and route maps can be used to define rules by which IP devices get translated. The network address and appropriate subnet mask should always be specified. The keyword any should not be used in place of the network...NAT FAQ, Best Practices and Deployment Guide for more detail). With Static NAT configuration, when packet doesn’t matched with any STATIC rule configuration, packet will be sent through without any translation.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide