[c-nsp] Access lists and NAT

Joseph Mays mays at win.net
Fri Mar 15 12:59:37 EDT 2013 

I have the following LAN interface, which has two addresses, one of which is NATted.

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload

access-list 50 permit 192.168.0.0 0.0.0.255

I want to block traffic so that addresses on the 216.24.4.185/29 block can only speak to things in the larger 216.24.0.0/18 block. I want traffic from the 196.168.0/24 address to be NATted and able to go to the world.

I’ve tried a few different access lists, and sets of access lists, but I get pretty much the same result whatever I try. If for instance, I put 

ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input
ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input

And add the lines for those to the interface --

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group permit-phone-service-out out
ip access-group permit-phone-service-in in
duplex auto
speed auto

Things in the 216.24.4.184/28 network block work fine and as desired. They still work for 216.24.0.0/18, but are blocked from outside of that.

Things in the 192.168.0.0/24 network block stop working completely, though. They can no longer get out from those addresses to the world. I think, but am not certain, that it may be breaking NAT for that network block.



HBMgmtOffice#show run
Building configuration...

Current configuration : 1499 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HBMgmtOffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip cef
!
!
ip name-server 216.24.27.3
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.150 192.168.0.255
ip dhcp excluded-address 192.168.0.0 192.168.0.50
!
ip dhcp pool edge-dhcp-pool
   network 192.168.0.0 255.255.255.0
   dns-server 216.24.27.3
   default-router 192.168.0.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 094E5B0E0A0302160F
!
!
!
!
!
!
interface FastEthernet0/0
ip address 216.24.2.30 255.255.255.252
no ip proxy-arp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 20 permit 216.24.27.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.0.255
!
snmp-server community wini4q5cust RO 20
snmp-server community mmn3gv5h RW 20
snmp-server tftp-server-list 20
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!

HBMgmtOffice#config t
Enter configuration commands, one per line.  End with CNTL/Z.
HBMgmtOffice(config)#ip access-list extended permit-phone-service-in
HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 216.24.0.0 0.0.63.255 log-input
HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 24.235.0.0 0.0.31.255 log-input
HBMgmtOffice(config-ext-nacl)# permit ip any 192.168.0.0 0.0.0.255 log-input
HBMgmtOffice(config-ext-nacl)#$ist extended permit-phone-service-out
HBMgmtOffice(config-ext-nacl)#$ 0.0.63.255 216.24.4.184 0.0.0.7 log-input
HBMgmtOffice(config-ext-nacl)#$ 0.0.31.255 216.24.4.184 0.0.0.7 log-input
HBMgmtOffice(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 any log-input
HBMgmtOffice(config-ext-nacl)#
HBMgmtOffice(config-ext-nacl)#
HBMgmtOffice(config-ext-nacl)#exit
HBMgmtOffice(config)#exit
HBMgmtOffice#write mem
Building configuration...
[OK]
HBMgmtOffice#Connection closed by foreign host.
admin1> telnet 216.24.2.30
Trying 216.24.2.30...
Connected to 216-24-2-30.ip.win.net.
Escape character is '^]'.


User Access Verification

Username: admin
Password:

HBMgmtOffice>enable
Password:
HBMgmtOffice#
HBMgmtOffice#
HBMgmtOffice#
HBMgmtOffice#show run
Building configuration...

Current configuration : 1948 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HBMgmtOffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa accounting delay-start
aaa session-id common
ip subnet-zero
ip cef
!
!
ip name-server 216.24.27.3
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.150 192.168.0.255
ip dhcp excluded-address 192.168.0.0 192.168.0.50
!
ip dhcp pool edge-dhcp-pool
   network 192.168.0.0 255.255.255.0
   dns-server 216.24.27.3
   default-router 192.168.0.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 094E5B0E0A0302160F
!
!
!
!
!
!
interface FastEthernet0/0
ip address 216.24.2.30 255.255.255.252
no ip proxy-arp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input
ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input
access-list 20 permit 216.24.27.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.0.255
!
snmp-server community wini4q5cust RO 20
snmp-server community mmn3gv5h RW 20
snmp-server tftp-server-list 20
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

HBMgmtOffice#

More information about the cisco-nsp mailing list