Trouble with NAT and ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 10:29 AM - edited 03-05-2019 10:38 AM
I'm having a hard time getting NAT setup. I have my DIA coming in on G0/0/2. The ISP is providing me two IP blocks, XX.XXX.56.144/29 and XX.YYY.67.0/27
All my devices are hung off G0/0/1 and the DMZ devices are off G0/0/1.400
I'm trying to use the ACL, DMZ-PERMIT to restrict what traffic hits the DMZ devices and prevent outside traffic from being able to reach my ASR via SSH, HTTPS etc.
With this configuration that appears to be working BUT with
"ip access-group DMZ-PERMIT in"
in use, my NAT no longer works. Devices in the 10.40.0.x range are not able to get out on the internet. I can't even ping outside from the ASR. If remove that ACL from the interface then NAT works again, but all my devices are fully exposed.
Any guidance on what I'm doing wrong?
interface GigabitEthernet0/0/1
ip address 10.40.0.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1.400
encapsulation dot1Q 400
ip address XX.YYY.67.1 255.255.255.224
!
interface GigabitEthernet0/0/2
description COGENT DIA
ip address XX.XXX.56.146 255.255.255.248
ip nat outside
ip access-group DMZ-PERMIT in
no negotiation auto
!
ip nat pool COGENT-POOL XX.XXX.56.147 XX.XXX.56.151 netmask 255.255.255.248
ip nat inside source list 100 pool COGENT-POOL overload
!
ip route 0.0.0.0 0.0.0.0 XX.XXX.56.145
!
ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
!
access-list 100 permit ip 10.40.0.0 0.0.0.255 any
- Labels:
-
Other Routing

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 10:50 AM
Hello,
did you try to add the line in bold ?
ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 11:09 AM
Thanks Georg,
I added that line but still can't seam to get outside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 11:34 AM
Hello,
looking at your access list again, I think the line in bold kills your returning NAT traffic:
ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
deny ip any host XX.XXX.56.146
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any
What if you change that to:
permit ip any XX.XXX.56.144 0.0.0.7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 12:04 PM
Thanks Georg,
With that command NAT is working now. but... I'm back at the original problem of having the SSH, HTTPS, TELNET port exposed to the public on the ip of the outside interface, x.x.56.146
Is there a different way to designate which interface can reach those services? I really just want them exposed to the inside and mgmt port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 12:19 PM
Hello,
I'll lab this in GNS3...will get back with you...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2018 02:17 PM
Hello,
here is what I have come up with:
First, you need static NAY entries for both the inside and the DMZ interface corresponding to the SSH/TELNET/HTTPS ports. You need to translate them to different outside ports, so when you access these ports from the outside, NAT knows what inside address they correspond to:
ip nat inside source static tcp 10.40.0.1 22 XX.XXX.56.146 9122
ip nat inside source static tcp XX.YYY.67.1 22 XX.XXX.56.146 9222
ip nat inside source static tcp 10.40.0.1 23 XX.XXX.56.146 9322
ip nat inside source static tcp XX.YYY.67.1 23 XX.XXX.56.146 9422
ip nat inside source static tcp 10.40.0.1 443 XX.XXX.56.146 9522
ip nat inside source static tcp XX.YYY.67.1 443 XX.XXX.56.146 9622
Then, your access list needs to look like this:
ip access-list extended DMZ-PERMIT
permit tcp any host XX.YYY.67.3 eq ftp
permit tcp any host XX.XXX.56.146 eq 9122
permit tcp any host XX.XXX.56.146 eq 9222
permit tcp any host XX.XXX.56.146 eq 9322
permit tcp any host XX.XXX.56.146 eq 9422
permit tcp any host XX.XXX.56.146 eq 9522
permit tcp any host XX.XXX.56.146 eq 9622
deny ip any host XX.XXX.56.146
permit ip any XX.XXX.56.147 0.0.0.7
permit ip any XX.XXX.56.148 0.0.0.7
permit ip any XX.XXX.56.149 0.0.0.7
permit ip any XX.XXX.56.150 0.0.0.7
permit ip any XX.XXX.56.151 0.0.0.7
permit tcp any host XX.YYY.67.3 range 5810 5890
permit tcp any host XX.YYY.67.4 eq 443
permit udp any host XX.YYY.67.4 eq 1194
permit ip 10.40.0.0 0.0.0.255 any
On a side note, XX.XXX.56.151 is the broadcast address for the network, I don't think it is a usable address...
Give this a try...
