Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
10
Helpful
3
Replies

Standard ACL (NOOB) Question

Craddockc
Level 3
Level 3

‎05-18-2017 11:53 AM - edited ‎03-08-2019 10:38 AM

Dear Community,

I feel like such a noob for asking this question but I ran into an interesting issue today wherein my router was not NATing traffic from an address that I had specified in my ACL. I wanted to add a couple of additional IPs to the ACL that was being referenced by the following statement:

ip nat inside source list 10 pool FIS overload

So I went ahead and added the IP's I wanted to add via the following:

(config)# access-list 10 permit 10.110.14.120

(config)# access-list 10 permit 10.110.14.121

(config)#show ip access-lists 10
Standard IP access list 10
40 permit 10.110.14.120 
50 permit 10.110.14.121 
10 permit 10.110.14.15 (967874 matches)
30 permit 10.110.14.26 (50 matches)
20 permit 10.110.14.16 (964860 matches)

No problem right? except for the fact that when I ran a show ip nat translations, the addresses were not being translated and the ACEs referencing the new IPs were not being matched. I eventually decided to write them in another way

(config)# ip access-list standard 10

(config-std-nacl)# permit 10.110.14.120

(config-std-nacl)# permit 10.110.14.121

After doing this it worked! So I guess my question is, does it always matter the way that the original IP Access list was written? It appears that this ACL was originally written in the latter way, so when I tried to add ACEs in the (config)# access-list 10 permit x.x.x.x way it failed, eventhough the ACEs showed up in the ACL, even after writing them in the "wrong" way.

(config)#show ip access-lists 10
Standard IP access list 10
40 permit 10.110.14.120 (2 matches)
50 permit 10.110.14.121 (2 matches)
10 permit 10.110.14.15 (967874 matches)
30 permit 10.110.14.26 (50 matches)
20 permit 10.110.14.16 (964860 matches)

Labels:
0 Helpful
3 Replies 3

Julio E. Moisa
VIP Alumni
VIP Alumni

‎05-18-2017 01:32 PM

Hi

Actually it should work on the both ways, I always prefer to use named ACL instead numbered. 

Just for testing you could clear the translations in order to verify or give a refresh.

clear ip nat translations. (try after business hours)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Craddockc
Level 3
Level 3
In response to Julio E. Moisa

‎05-18-2017 01:36 PM

Thanks Julio,

I also thought it should work both ways, but when it did not work it got me second guessing myself. I think ill lab it up in GNS3 and try again. 

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Craddockc

‎05-18-2017 01:39 PM

You are welcome, yes it should work fine. 

For NATs or similar procedures named ACL are better because they are most manageable 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Customers Also Viewed These Support Documents