[c-nsp] Weird ACL Translation - show run

Larry Smith lesmith at ecsis.net
Wed Aug 31 16:16:10 EDT 2005 

On Wednesday 31 August 2005 15:06, noc ops wrote:
> Hi,
>
> Not sure if I'm missing something or what. But when I configured my 3640
> which is running c3640-jk9s-mz.122-4.T1.bin (not under warranty), I see
> below ACL output when I show run.
>
> Routing/NAT is taking place fine w/o any problems but the below ACL
> output is bothering me.
>
>
> Any insight will be appreciated.
>
>
> regards,
> /virendra
>
>
> config output:
> -------------------------------
> interface Ethernet0/1
>  description Uplink to RFC1918 network, facing towards inside
>  ip address 192.168.0.1 255.255.255.248
>  ip nat inside
>  half-duplex
>
> ip nat inside source list pat-addresses interface Ethernet0/0 overload
>
> ip access-list standard pat-addresses
>  permit 192.0.0.0 0.255.255.255 <------ ??
>
> --------------------------------
>
> I even tried doing and undoing the above ACL w/ no avail.
>
> deepspace(config)#ip access-list standard pat-addresses
> deepspace(config-std-nacl)#no permit 192.0.0.0 0.255.255.255
> deepspace(config-std-nacl)#permit 192.168.0.0 0.255.255.255
> deepspace(config-std-nacl)#^Z
>
> I even tried using permit 192.168.0.0 7.255.255.255
>
> I still see the same output, and yes, I'm using ip classless,
>
> ip access-list standard pat-addresses
>  permit 192.0.0.0 0.255.255.255
>
>
> Here's some basic NAT stats:
>
> deepspace#show ip nat statistics
> Total active translations: 34 (0 static, 34 dynamic; 34 extended)
> Outside interfaces:
>   Ethernet0/0
> Inside interfaces:
>   Ethernet0/1
> Hits: 663  Misses: 52
> Expired translations: 18
> Dynamic mappings:
> -- Inside Source
> access-list pat-addresses interface Ethernet0/0 refcount 34
>
>
> deepspace#show ip nat translations
> Pro Inside global         Inside local          Outside local
> Outside global
> tcp Ethernet0/0:44708   192.168.0.2:44708     207.126.111.226:80
> 207.126.111.226:80
> tcp Ethernet0/0:44709   192.168.0.2:44709     207.126.111.226:80
> 207.126.111.226:80
> tcp Ethernet0/0:44710   192.168.0.2:44710     207.126.111.226:80
> 207.126.111.226:80
> tcp Ethernet0/0:44711   192.168.0.2:44711     207.126.111.226:80
> 207.126.111.226:80
> tcp Ethernet0/0:44712   192.168.0.2:44712     207.126.111.226:80
> 207.126.111.226:80
> tcp Ethernet0/0:44713   192.168.0.2:44713     207.126.111.226:80
> 207.126.111.226:80

The netmask you are using is forcing it to "class-a" type (0.255.255.255) 
which is why it is chopping to the 192.0.0.0.

try:

no ip access-list standard pat-addresses
permit 192.168.0.0 0.0.255.255
^Z

and see if that works...

-- 
Larry Smith
SysAd ECSIS.NET
sysad at ecsis.net

More information about the cisco-nsp mailing list