cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8813
Views
8
Helpful
4
Replies

Does Extended Access-lists work with NAT Overload, having problems getting it to work ?

Andre Liverod
Level 1
Level 1

We have a working configuration where a Cisco 1921 router NAT overload the inside networks. it uses a standard Accesslist. Now i need to create a vpn tunnel and need to exempt some traffic. I therefore have to use an extended access-list for this. But it does not work. When changing access-list it asks if i want to clear current NAT table and I say yes. But with the extended list it does not overload anything at all. Why is this? running version 15.5 on the router.

Here is the command used for overload:

ip nat inside source list ACL_STA_NAT interface GigabitEthernet0/0 overload

Here is the standard Accesslist:

ip access-list standard ACL_STA_NAT
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
permit 10.0.10.0 0.0.0.255
permit 10.0.255.0 0.0.0.255
permit 172.16.100.0 0.0.0.255
permit 10.0.11.0 0.0.0.255


Here is the extended acceslists that do not work, I have tried two versions and it is the same on both, nothing happens. What am I missing here?

ip access-list extended NAT_ACL
permit 20 10.0.1.0 0.0.0.255 any
permit 21 10.0.2.0 0.0.0.255 any
permit 22 10.0.4.0 0.0.0.255 any
permit 23 10.0.10.0 0.0.0.255 any
permit 24 10.0.255.0 0.0.0.255 any
permit 25 172.16.100.0 0.0.0.255 any
permit 26 10.0.11.0 0.0.0.255 any

ip access-list extended NAT_ACL
permit 20 10.0.1.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 21 10.0.2.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 22 10.0.4.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 23 10.0.10.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 24 10.0.255.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 25 172.16.100.0 0.0.0.255 0.0.0.0 0.0.0.0
permit 26 10.0.11.0 0.0.0.255 0.0.0.0 0.0.0.0

1 Accepted Solution

Accepted Solutions

Hello,

as far as I can see, your access list doesn't deny the traffic that needs to go through the VPN. Also, a route map probably works better.

Try the following (the lines in bold deny the traffic that you want to go through the VPN, so replace the source and destination with your own networks):

ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload
ip access-list extended NAT_ACL
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.0.2.0 0.0.1.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.4.0 0.0.0.255 any
permit ip 10.0.10.0 0.0.0.255 any
permit ip 10.0.255.0 0.0.0.255 any
permit ip 172.16.100.0 0.0.0.255 any
permit ip 10.0.11.0 0.0.0.255 any

route-map NO_NAT permit 10
match ip address NAT_ACL
match interface GigabitEthernet0/0

View solution in original post

4 Replies 4

Hello,

try using a numbered instead of a named ACL, e.g. access-list 101 instead of NAT_ACL. I have seen IOS versions where the named ACLs do not work...

I tried just now to change it to numbered but it did not work, but thanks for answering. Seems that for some reason it only registers when using a Standard access list. When I swap back to a standard access list it starts working right away. I will post the full config of the router here, maybe you can see the issue. There is a working VPN config already on the virtual interface. What I am trying to do is making a site2site vpn on gi0/0. As far as I have tested my VPN config works(not included here) and my only problem is getting the exempt ACL to work, and for this I need a extended ACL.  

ip domain name xxx.xx
ip cef
l2tp-class CLASS-CENSORED-L2TP
authentication
password 7 xxxxxxxxx
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn xxxxxxxxx
license boot module c1900 technology-package datak9
!
!
username xxxxxxxx secret 5 xxxxxxxx
!
redundancy
!
crypto ikev2 proposal 10
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
crypto ikev2 proposal 30
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy 10
proposal 10
crypto ikev2 policy 30
proposal 30
!
crypto ikev2 keyring XXXX-VPN-XXXX
peer 62.148.57.250
address 62.148.57.250
pre-shared-key fjyd4gni
!
!
!
crypto ikev2 profile XXXX-VPN-XXXX
match address local x.x.x.x
match identity remote address x.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local XXXX-VPN-XXXX
!
!
!
controller Cellular 0/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
pseudowire-class XXXX-L2TP
! Incomplete config [Unconfigured ip local interface]
encapsulation l2tpv2
protocol l2tpv2 CLASS-XXXX-L2TP
ip local interface Cellular0/0/0
!
!
!
!
crypto ipsec transform-set SET_AES256SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile XXXX-VPN-XXXX
set transform-set SET_AES256SHA
set ikev2-profile XXXX-VPN-XXXX
redundancy IPSEC-HA stateful
!
!
!
!
!
!
!
interface Loopback0
description -- Management Loopback
ip address 172.31.15.100 255.255.255.255
!
interface Tunnel341052
description -- IPSec-Tunnell
ip address 10.10.10.10 255.255.255.254
ip tcp adjust-mss 1350
tunnel source x.x.x.x
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile XXXX-VPN-XXXX
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description -- Outside
ip address x.x.x.x 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description -- Inside
ip address 10.0.10.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Cellular0/0/0
ip address negotiated
ip mtu 1492
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
interface Virtual-PPP1
description -- L2TP-Tunnell
ip address negotiated
ip virtual-reassembly in
ppp chap hostname xxxx@xxxx.com
ppp chap password 0 xxxxx
pseudowire x.x.x.x 1 encapsulation l2tpv2 pw-class XXX-L2TP
! Incomplete or Invalid Xconnect config
!
router bgp 65001
bgp log-neighbor-changes
network 10.0.2.0 mask 255.255.255.0
network 10.0.4.0 mask 255.255.255.0
network 10.0.11.0 mask 255.255.255.0
network 172.16.100.0 mask 255.255.255.0
network 172.31.15.100 mask 255.255.255.255
neighbor 10.10.10.10 remote-as xxxxx
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list ACL_STA_NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.0.1.0 255.255.255.0 10.0.10.4
ip route 10.0.2.0 255.255.255.0 10.0.10.4
ip route 10.0.4.0 255.255.255.0 10.0.10.4
ip route 10.0.11.0 255.255.255.0 10.0.10.4
ip route 10.0.34.0 255.255.255.0 Virtual-PPP1 250
ip route 10.0.255.0 255.255.255.0 10.0.10.4
ip route 172.16.100.0 255.255.255.0 10.0.10.4
ip route x.x.x.x 255.255.255.255 Cellular0/0/0 250
ip route x.x.x.x 255.255.255.240 Virtual-PPP1 250
!
ip access-list standard ACL_STA_NAT
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
permit 10.0.10.0 0.0.0.255
permit 10.0.255.0 0.0.0.255
permit 172.16.100.0 0.0.0.255
permit 10.0.11.0 0.0.0.255
!
ip sla 1
icmp-echo x.x.x.x
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!
!
snmp-server community xxxxx RO 99
access-list 98 permit x.x.x.x 0.0.1.255
access-list 98 permit 10.0.0.0 0.0.255.255
access-list 99 permit x.x.x.x
access-list 99 permit x.x.x.x 0.0.0.63
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
no exec
line 0/0/1
no exec
line vty 0 4
access-class 98 in
transport input telnet ssh
line vty 5 15
access-class 98 in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server x.x.x.x
!

Hello,

as far as I can see, your access list doesn't deny the traffic that needs to go through the VPN. Also, a route map probably works better.

Try the following (the lines in bold deny the traffic that you want to go through the VPN, so replace the source and destination with your own networks):

ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload
ip access-list extended NAT_ACL
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.0.2.0 0.0.1.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.4.0 0.0.0.255 any
permit ip 10.0.10.0 0.0.0.255 any
permit ip 10.0.255.0 0.0.0.255 any
permit ip 172.16.100.0 0.0.0.255 any
permit ip 10.0.11.0 0.0.0.255 any

route-map NO_NAT permit 10
match ip address NAT_ACL
match interface GigabitEthernet0/0

using route-map worked ! Thanks a lot for the suggestion. My final config ended up looking like this:

ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload


route-map NONAT permit 10
match ip address 110

access-list 110 remark NAT exemption access-list
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.2.0 0.0.0.255 any
access-list 110 permit ip 10.0.4.0 0.0.0.255 any
access-list 110 permit ip 10.0.10.0 0.0.0.255 any
access-list 110 permit ip 10.0.255.0 0.0.0.255 any
access-list 110 permit ip 172.16.100.0 0.0.0.255 any
access-list 110 permit ip 10.0.11.0 0.0.0.255 any

Review Cisco Networking for a $25 gift card