Trouble with ACLs and NAT

jerry-kendall · ‎06-25-2013

Hi there.

I am hoping someone can help me here.

Issue #1 PAT

I cant seem to get the PAT (overloaded NAT) working. the systems with IP addresses that are not statically NAT'd can reach out to the internet.

The systems with static NAT work fine and can reach out to the net and can be reached from the net via those ports where ACLs permit.

Issue #2 ACLs

Any systems in one vlan can't seem to reach systems in another VLAN (ex: 192.168.101.10 cant ssh to 192.168.50.10) even though there is an ACL the 'should' permit it.

NOTE: I have PBR to force connections to go out to the external routers where they 'should' come back another vlan.

Any help would really be appreciated.

Jerry

Config is

----------------------

!

ip dhcp pool DHCP_VLAN-101-Network101

network 192.168.101.0 255.255.255.0

domain-name Network101.com

default-router 192.168.101.1

dns-server 192.168.101.10 192.168.101.11 192.168.101.12

!

ip domain name Network101.com

no ipv6 cef

multilink bundle-name authenticated

!

redundancy

!

ip ssh port 22 rotary 1

ip ssh version 2

!

track 1 interface GigabitEthernet0/1 line-protocol

track 2 interface GigabitEthernet0/0 line-protocol

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.25

description NET-INT-VLAN-25-Network25

encapsulation dot1Q 25

ip address 192.168.25.2 255.255.255.0

ip access-group ACL_RULES_VLAN-25-Network25 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-25-Network25

standby version 2

standby 25 ip 192.168.25.1

standby 25 timers msec 300 1

standby 25 priority 150

standby 25 authentication md5 key-string SomePassword

standby 25 name HSRP-25

standby 25 track 1 decrement 50

!

interface GigabitEthernet0/0.26

description NET-INT-VLAN-26-Network26

encapsulation dot1Q 26

ip address 192.168.26.2 255.255.255.0

ip access-group ACL_RULES_VLAN-26-Network26 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-26-Network26

standby version 2

standby 26 ip 192.168.26.1

standby 26 timers msec 300 1

standby 26 priority 150

standby 26 authentication md5 key-string SomePassword

standby 26 name HSRP-26

standby 26 track 1 decrement 50

!

interface GigabitEthernet0/0.27

description NET-INT-VLAN-27-Network27

encapsulation dot1Q 27

ip address 192.168.27.2 255.255.255.0

ip access-group ACL_RULES_VLAN-27-Network27 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-27-Network27

standby version 2

standby 27 ip 192.168.27.1

standby 27 timers msec 300 1

standby 27 priority 150

standby 27 authentication md5 key-string SomePassword

standby 27 name HSRP-27

standby 27 track 1 decrement 50

!

interface GigabitEthernet0/0.50

description NET-INT-VLAN-50-Network50

encapsulation dot1Q 50

ip address 192.168.50.2 255.255.255.0

ip access-group ACL_RULES_VLAN-50-Network50 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-50-Network50

standby version 2

standby 50 ip 192.168.50.1

standby 50 timers msec 300 1

standby 50 priority 150

standby 50 authentication md5 key-string SomePassword

standby 50 name HSRP-50

standby 50 track 1 decrement 50

!

interface GigabitEthernet0/0.101

description NET-INT-VLAN-101-Network101

encapsulation dot1Q 101

ip address 192.168.101.2 255.255.255.0

ip access-group ACL_RULES_VLAN-101-Network101 out

ip nat inside

ip virtual-reassembly in

ip policy route-map RMAP_VLAN-101-Network101

standby version 2

standby 101 ip 192.168.101.1

standby 101 timers msec 300 1

standby 101 priority 150

standby 101 authentication md5 key-string SomePassword

standby 101 name HSRP-101

standby 101 track 1 decrement 50

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.1025

description NET-EXT-VLAN-1025-Network25

encapsulation dot1Q 1025

ip address mm.mm.mm.189 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1025 ip mm.mm.mm.190

standby 1025 timers msec 300 1

standby 1025 priority 150

standby 1025 authentication md5 key-string SomePassword

standby 1025 name HSRP-1025

standby 1025 track 2 decrement 50

!

interface GigabitEthernet0/1.1026

description NET-EXT-VLAN-1026-Network26

encapsulation dot1Q 1026

ip address mm.mm.mm.173 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1026 ip mm.mm.mm.174

standby 1026 timers msec 300 1

standby 1026 priority 150

standby 1026 authentication md5 key-string SomePassword

standby 1026 name HSRP-1026

standby 1026 track 2 decrement 50

!

interface GigabitEthernet0/1.1027

description NET-EXT-VLAN-1027-Network27

encapsulation dot1Q 1027

ip address mm.mm.mm.205 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1027 ip mm.mm.mm.206

standby 1027 timers msec 300 1

standby 1027 priority 150

standby 1027 authentication md5 key-string SomePassword

standby 1027 name HSRP-1027

standby 1027 track 2 decrement 50

!

interface GigabitEthernet0/1.1050

description NET-EXT-VLAN-1050-Network50

encapsulation dot1Q 1050

ip address nn.nn.nn.221 255.255.255.224

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1050 ip nn.nn.nn.222

standby 1050 timers msec 300 1

standby 1050 priority 150

standby 1050 authentication md5 key-string SomePassword

standby 1050 name HSRP-1050

standby 1050 track 2 decrement 50

!

interface GigabitEthernet0/1.1101

description NET-EXT-VLAN-1101-Network101

encapsulation dot1Q 1101

ip address nn.nn.nn.125 255.255.255.128

ip nat outside

ip virtual-reassembly in

standby version 2

standby 1101 ip nn.nn.nn.126

standby 1101 timers msec 300 1

standby 1101 priority 150

standby 1101 authentication md5 key-string SomePassword

standby 1101 name HSRP-1101

standby 1101 track 2 decrement 50

!

interface GigabitEthernet0/0/0

no ip address

!

interface GigabitEthernet0/0/1

no ip address

!

interface GigabitEthernet0/0/2

no ip address

!

interface GigabitEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool NAT_POOL_VLAN-25-Network25 mm.mm.mm.190 mm.mm.mm.190 prefix-length 28

ip nat pool NAT_POOL_VLAN-26-Network26 mm.mm.mm.174 mm.mm.mm.174 prefix-length 28

ip nat pool NAT_POOL_VLAN-27-Network27 mm.mm.mm.206 mm.mm.mm.206 prefix-length 28

ip nat pool NAT_POOL_VLAN-50-Network50 nn.nn.nn.222 nn.nn.nn.222 prefix-length 27

ip nat pool NAT_POOL_VLAN-101-Network101 nn.nn.nn.126 nn.nn.nn.126 prefix-length 25

ip nat inside source list ACL_INT_VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload

ip nat inside source list ACL_INT_VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload

ip nat inside source list ACL_INT_VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload

ip nat inside source list ACL_INT_VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload

ip nat inside source list ACL_INT_VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload

ip nat inside source static 192.168.50.10 nn.nn.nn.196

ip nat inside source static 192.168.50.11 nn.nn.nn.197

ip nat inside source static 192.168.25.10 mm.mm.mm.180

ip nat inside source static 192.168.25.11 mm.mm.mm.181

ip nat inside source static 192.168.26.10 mm.mm.mm.165

ip nat inside source static 192.168.26.11 mm.mm.mm.166

ip nat inside source static 192.168.27.10 mm.mm.mm.197

ip nat inside source static 192.168.27.11 mm.mm.mm.198

ip nat inside source static 192.168.101.10 nn.nn.nn.10

ip nat inside source static 192.168.101.11 nn.nn.nn.11

!

ip access-list extended ACL_INT_VLAN-101-Network101

permit ip any 192.168.101.0 0.0.0.255

!

ip access-list extended ACL_INT_VLAN-25-Network25

permit ip any 192.168.25.0 0.0.0.255

!

ip access-list extended ACL_INT_VLAN-26-Network26

permit ip any 192.168.26.0 0.0.0.255

!

ip access-list extended ACL_INT_VLAN-27-Network27

permit ip any 192.168.27.0 0.0.0.255

!

ip access-list extended ACL_INT_VLAN-50-Network50

permit ip any 192.168.50.0 0.0.0.255

!

ip access-list extended ACL_RULES_VLAN-101-Network101

remark Allow established TCP connections to Network101

permit tcp any 192.168.101.0 0.0.0.255 established

remark FCl-NS1 UDP -> BOOTP(Client + Server)

permit udp any any eq bootps

permit udp any any eq bootpc

remark FCl-NS1 UDP -> DNS

remark FCl-NS1 UDP -> NTP

remark FCl-NS1 TCP -> SSH(22)

remark FCl-NS1 ECHO

permit tcp any host 192.168.101.10 eq 22

permit udp any host 192.168.101.10 eq domain

permit udp any eq domain host 192.168.101.10

permit icmp any host 192.168.101.10 echo-reply

permit icmp any host 192.168.101.10 echo

permit icmp any host 192.168.101.63 echo-reply

permit icmp any host 192.168.101.63 echo

remark FCl-NS2 UDP -> DNS

remark FCl-NS2 UDP -> NTP

remark FCl-NS2 TCP -> SSH

remark FCl-NS2 ECHO

permit tcp any host 192.168.101.11 eq 22

permit udp any host 192.168.101.11 eq domain

permit udp any eq domain host 192.168.101.11

permit icmp any host 192.168.101.11 echo-reply

permit icmp any host 192.168.101.11 echo

!

ip access-list extended ACL_RULES_VLAN-25-Network25

permit tcp any host 192.168.25.10 established

permit tcp any host 192.168.25.10 eq 22

permit udp any host 192.168.25.10 eq domain

permit udp any eq domain host 192.168.25.10

permit icmp any host 192.168.25.10 echo-reply

permit icmp any host 192.168.25.10 echo

permit tcp any host 192.168.25.11 established

permit tcp any host 192.168.25.11 eq 22

permit udp any host 192.168.25.11 eq domain

permit udp any eq domain host 192.168.25.11

permit icmp any host 192.168.25.11 echo-reply

permit icmp any host 192.168.25.11 echo

!

ip access-list extended ACL_RULES_VLAN-26-Network26

permit tcp any host 192.168.26.10 established

permit tcp any host 192.168.26.10 eq 22

permit udp any host 192.168.26.10 eq domain

permit udp any eq domain host 192.168.26.10

permit icmp any host 192.168.26.10 echo-reply

permit icmp any host 192.168.26.10 echo

permit tcp any host 192.168.26.11 established

permit tcp any host 192.168.26.11 eq 22

permit udp any host 192.168.26.11 eq domain

permit udp any eq domain host 192.168.26.11

permit icmp any host 192.168.26.11 echo-reply

permit icmp any host 192.168.26.11 echo

!

ip access-list extended ACL_RULES_VLAN-27-Network27

permit tcp any host 192.168.27.10 established

permit tcp any host 192.168.27.10 eq 22

permit udp any host 192.168.27.10 eq domain

permit udp any eq domain host 192.168.27.10

permit icmp any host 192.168.27.10 echo-reply

permit icmp any host 192.168.27.10 echo

permit tcp any host 192.168.27.11 established

permit tcp any host 192.168.27.11 eq 22

permit udp any host 192.168.27.11 eq domain

permit udp any eq domain host 192.168.27.11

permit icmp any host 192.168.27.11 echo-reply

permit icmp any host 192.168.27.11 echo

!

ip access-list extended ACL_RULES_VLAN-50-Network50

remark Allow established TCP connections

permit tcp any 192.168.50.0 0.0.0.255 established

remark DNS-SSH(22)-NTP to Name Server 1

permit tcp any host 192.168.50.10 eq 22

permit udp any host 192.168.50.10 eq domain

permit udp any eq domain host 192.168.50.10

permit icmp any host 192.168.50.10 echo-reply

permit icmp any host 192.168.50.10 echo

remark DNS-SSH(22)-NTP to Name Server 2

permit tcp any host 192.168.50.11 eq 22

permit udp any host 192.168.50.11 eq domain

permit udp any eq domain host 192.168.50.11

permit icmp any host 192.168.50.11 echo-reply

permit icmp any host 192.168.50.11 echo

!

route-map RMAP_VLAN-27-Network27 permit 10

set ip next-hop mm.mm.mm.193

!

route-map RMAP_VLAN-25-Network25 permit 10

set ip next-hop mm.mm.mm.177

!

route-map RMAP_VLAN-26-Network26 permit 10

set ip next-hop mm.mm.mm.161

!

route-map RMAP_VLAN-101-Network101 permit 10

set ip next-hop nn.nn.nn.1

!

route-map RMAP_VLAN-50-Network50 permit 10

set ip next-hop nn.nn.nn.193

!

control-plane

!

line con 0

length 50

width 150

stopbits 1

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

rotary 1

length 50

width 150

transport input ssh

!

scheduler allocate 20000 1000

!

end

cadet alain · ‎06-26-2013

Hi,

Concerning your NAT overload , can you do this:

no ip nat inside source list ACL_INT_VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload

no ip nat inside source list ACL_INT_VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload

no ip nat inside source list ACL_INT_VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload

no ip nat inside source list ACL_INT_VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload

no ip nat inside source list ACL_INT_VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload

route-map VLAN-25-Network25

match ip address ACL_INT_VLAN-25-Network25

match interface GigabitEthernet0/1.1025

route-map VLAN-26-Network26

match ip address ACL_INT_VLAN-26-Network26

match interface GigabitEthernet0/1.1026

route-map VLAN-27-Network27

match ip address ACL_INT_VLAN-27-Network27

match interface GigabitEthernet0/1.1027

route-map VLAN-50-Network50

match ip address ACL_INT_VLAN-50-Network50

match interface GigabitEthernet0/1.1050

route-map VLAN-101-Network101

match ip address ACL_INT_VLAN-101-Network101

match interface GigabitEthernet0/1.1101

ip nat inside source route-map VLAN-25-Network25 pool NAT_POOL_VLAN-25-Network25 overload

ip nat inside source route-map VLAN-26-Network26 pool NAT_POOL_VLAN-26-Network26 overload

ip nat inside source route-map VLAN-27-Network27 pool NAT_POOL_VLAN-27-Network27 overload

ip nat inside source route-map VLAN-50-Network50 pool NAT_POOL_VLAN-50-Network50 overload

ip nat inside source route-map VLAN-101-Network101 pool NAT_POOL_VLAN-101-Network101 overload

For second problem, can you put a explicit deny ip any any at the end of your filtering ACLs and try to ssh from 101.10 to 50.10 and do sh access-list before and after to see if you see any hit count on the deny.

Regards

Alain

Don't forget to rate helpful posts.

jerry-kendall · ‎06-26-2013

Cadetalain,

I will give this a try, but it would be most helpful if I understood the impact of using a route map with the interface in addition to the acl vs using just the acl itself.

Jerry