4 Replies Latest reply: Nov 8, 2018 9:27 AM by David RSS

    Trouble with NAT and ACL pt. 2

    Damori

      I started this in another thread ( Having trouble implementing NAT and ACLs ) and my question was answered but another issue/question arose so i started a new thread....

       

      When I take this ACE out of the ACL I can't reach the internet.... Why?

       

      TopRouter(config)#do sh access-lists

      Standard IP access list NAT_ADDRESSES

          10 permit 192.168.2.0, wildcard bits 0.0.0.255 (19694 matches)

          20 permit 192.168.3.0, wildcard bits 0.0.0.255 (32266 matches)

          30 permit 192.168.4.0, wildcard bits 0.0.0.255

          40 permit any (55599 matches)

      TopRouter(config)#ip access-list standard NAT_ADDRESSES

      TopRouter(config-std-nacl)#no  permit 192.168.2.0 0.0.0.255

      TopRouter(config-std-nacl)#no permit 192.168.3.0 0.0.0.255

      TopRouter(config-std-nacl)#no permit 192.168.4.0 0.0.0.255

      TopRouter(config-std-nacl)#do sh access-lists

      Standard IP access list NAT_ADDRESSES

          40 permit any (56541 matches)

      TopRouter(config-std-nacl)#do ping 4.2.2.2

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

      !!!!!

      Success rate is 100 percent (5/5)

      ^^^^ Still have internet connection ^^^^

       

      TopRouter(config-std-nacl)#permit 192.168.4.0 0.0.0.255

      TopRouter(config-std-nacl)#permit 192.168.3.0 0.0.0.255

      TopRouter(config-std-nacl)#permit 192.168.2.0 0.0.0.255

      TopRouter(config-std-nacl)#permit 192.168.1.0 0.0.0.255

      TopRouter(config-std-nacl)#do sh access-lists

      Standard IP access list NAT_ADDRESSES

          40 permit any (56684 matches)

          50 permit 192.168.4.0, wildcard bits 0.0.0.255

          60 permit 192.168.3.0, wildcard bits 0.0.0.255

          70 permit 192.168.2.0, wildcard bits 0.0.0.255

          80 permit 192.168.1.0, wildcard bits 0.0.0.255

      TopRouter(config-std-nacl)#no  permit any

      TopRouter(config-std-nacl)#do sh access-lists

      Standard IP access list NAT_ADDRESSES

          50 permit 192.168.4.0, wildcard bits 0.0.0.255

          60 permit 192.168.3.0, wildcard bits 0.0.0.255

          70 permit 192.168.2.0, wildcard bits 0.0.0.255

          80 permit 192.168.1.0, wildcard bits 0.0.0.255

       

      TopRouter(config-std-nacl)#do ping 4.2.2.2

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

      .....

      Success rate is 0 percent (0/5)

      TopRouter(config-std-nacl)#

       

      ^^^^^NO INTERNET CONNECTION^^^^


       

        • 1. Re: Trouble with NAT and ACL pt. 2
          Martin

          By default every ACL action is to deny.  there is implicit deny any at the end of every ACL

          so whatever u have not mentioned to be "permit" is denied unless permit any is there. since u removed permit any from ACL, ping fails !

           

          notice permit any with 56541 matches when u ping 4.2.2.2

          • 2. Re: Trouble with NAT and ACL pt. 2
            Damori

            Martin I understand your first part but that didn't answer my question....

            so my network(s) are all 192.168.0.0 /16.....


            so i have 3 PCs:

            192.168.1.51

            192.168.2.52

            192.168.3.53

             

            they are connected to fa0/0.2, fa0/0.3, fa0/0.4

             

            so what im not getting is since i put all 3 subnets in the permit:

             

                1 permit 192.168.0.0, wildcard bits 0.0.0.255 (1589 matches)

                2 permit 192.168.1.0, wildcard bits 0.0.0.255 (12 matches)

                3 permit 192.168.2.0, wildcard bits 0.0.0.255 (147 matches)

                4 permit 192.168.3.0, wildcard bits 0.0.0.255 (56 matches)

                ^^^^^^^^^^^ DOES NOT WORK^^^^^^^^^^^^^^


            why cant i ping/get out to the internet unless i put permit any?


                1 permit 192.168.0.0, wildcard bits 0.0.0.255 (1589 matches)

                2 permit 192.168.1.0, wildcard bits 0.0.0.255 (12 matches)

                3 permit 192.168.2.0, wildcard bits 0.0.0.255 (147 matches)

                4 permit 192.168.3.0, wildcard bits 0.0.0.255 (56 matches)

                5 permit any (39735 matches)

                ^^^^^^^^ WORKS ^^^^^^^^^^^^^^

            • 3. Re: Trouble with NAT and ACL pt. 2
              Ing_Percy

              Hi!

               

              About your configuration:

              ========================================

              TopRouter(config-std-nacl)#do sh access-lists

              Standard IP access list NAT_ADDRESSES

                  40 permit any (56684 matches)

                  50 permit 192.168.4.0, wildcard bits 0.0.0.255

                  60 permit 192.168.3.0, wildcard bits 0.0.0.255

                  70 permit 192.168.2.0, wildcard bits 0.0.0.255

                  80 permit 192.168.1.0, wildcard bits 0.0.0.255

              TopRouter(config-std-nacl)#no  permit any

              TopRouter(config-std-nacl)#do sh access-lists

              Standard IP access list NAT_ADDRESSES

                  50 permit 192.168.4.0, wildcard bits 0.0.0.255

                  60 permit 192.168.3.0, wildcard bits 0.0.0.255

                  70 permit 192.168.2.0, wildcard bits 0.0.0.255

                  80 permit 192.168.1.0, wildcard bits 0.0.0.255

              =====================================

               

              The correct form of delete ACL statement is using the number as the example:

               

              TopRouter(config-std-nacl)#no 40


              Best regards!

              • 4. Re: Trouble with NAT and ACL pt. 2
                David

                Do you have an explicit Permit Any Any at the end of your ACL? If not then the default implicit Deny Any Any at the end takes affect.