[c-nsp] NAT through loopback on 7200/G2 and (reflexive) ACLs

Rutger Bevaart rutger at netnova.nl
Tue Nov 29 08:50:42 EST 2011


Hello list,

I've setup a Cisco 7200 (NPE G2) for NAT of a private range to a pool of public addresses. This took quite some time to get up and running as the Cisco configs shown online didn't work as expected.

Setup is as follows,
gi0/1 is the "inside" interface, gi0/2 is the "outside" interface, loopback0 has a dummy address X.Y.Z.6/32. The "outside" interface speaks eBGP with an upstream box. All clients are (currently) in a /24 on the inside with the router being the default gateway.

Current config (relevant part):
!
interface Loopback0
ip address X.Y.Z.6 255.255.255.255
no ip redirects
no ip unreachables
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip proxy-arp
duplex auto
speed 1000
media-type sfp
negotiation auto
no cdp enable
!
interface GigabitEthernet0/1.100
description nqt-internet
encapsulation dot1Q 10
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2
description upstream
ip address A.B.C.70 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip policy route-map route-through-loopback
duplex auto
speed 1000
media-type sfp
negotiation auto
!
ip nat pool CLIENTS X.Y.Z..1 X.Y.Z..1 prefix-length 29
ip nat inside source list 20 pool CLIENTS overload
!
access-list 20 remark ACL for traffic to NAT/PAT
access-list 20 permit 192.168.1.0 0.0.0.255
!
access-list 101 permit ip any 192.168.1.0 0.0.0.255
!
route-map route-through-loopback permit 10
match ip address 101
set interface Loopback0
!
ip access-list extended ipv4-filter-in
evaluate ipv4-reflex-in
permit udp host 8.8.8.8 eq domain any
deny   ip any any log
ip access-list extended ipv4-filter-out
permit ip any any reflect ipv4-reflex-in timeout 30
!

This all works as expected. Outbound traffic originating from 192.168.1.0/24 is PAT translated to X.Y.Z.1/32... all is well ;-) Now for the interesting part! I'm using a reflexive ACL to filter inbound traffic. I apply this access-list as follows:

int gi0/2 <--- the "outside" interface
ip access-group ipv4-filter-out out
ip access-group ipv4-filter-in in

This works perfectly as the reflexive ACL nicely matches the translated traffic. Now, if I remove the "deny ip any any log" from the access-list ipv4-filter-in it DOESN'T work anymore! Only removing the "log" keyword causes all permits to fail... no traffic is going through. Even explicitly permitted traffic does not pass back in from the "outside" interface.

The only reason I can think of for this to work only with the "log" keyword anywhere in the acl is that the checking of the ACL is done by the RP instead of a faster mechanism. But how to accomplish the goal to filter on the outside interface? 

Any clues?

Regards,
Rutger


More information about the cisco-nsp mailing list