[c-nsp] Access lists and NAT

Joseph Mays mays at win.net
Fri Mar 15 16:32:48 EDT 2013 

Whoops. I was working on another issue the last couple of days so admittedly 
haven't been getting as much sleep as I should. I meant to strip the 
complete config off the end of the message rather than sending it to the 
list along with the passwords. What I intended to do and what happened were 
two different things. Anyway, passwords have been changed. Getting back to 
the initial question....

> I have the following LAN interface, which has two addresses, one of
> which is NATted.
>
> interface FastEthernet0/1
> ip address 216.24.4.185 255.255.255.248 secondary
> ip address 192.168.0.1 255.255.255.0
> ip nat inside
> duplex auto
> speed auto
> !
> ip nat inside source list 50 interface FastEthernet0/0 overload
>
> access-list 50 permit 192.168.0.0 0.0.0.255
>
> I want to block traffic so that addresses on the 216.24.4.185/29
> block can only speak to things in the larger 216.24.0.0/18 block. I
> want traffic from the 196.168.0/24 address to be NATted and able to
> go to the world.
>
> I’ve tried a few different access lists, and sets of access lists,
> but I get pretty much the same result whatever I try. If for
> instance, I put
>
> ip access-list extended permit-phone-service-in
> permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
> permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
> permit ip any 192.168.0.0 0.0.0.255 log-input
> ip access-list extended permit-phone-service-out
> permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
> permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
> permit ip 192.168.0.0 0.0.0.255 any log-input
>
> And add the lines for those to the interface --
>
> interface FastEthernet0/1
> ip address 216.24.4.185 255.255.255.248 secondary
> ip address 192.168.0.1 255.255.255.0
> ip nat inside
> ip access-group permit-phone-service-out out
> ip access-group permit-phone-service-in in
> duplex auto
> speed auto
>
> Things in the 216.24.4.184/28 network block work fine and as desired.
> They still work for 216.24.0.0/18, but are blocked from outside of
> that.
>
> Things in the 192.168.0.0/24 network block stop working completely,
> though. They can no longer get out from those addresses to the
> world. I think, but am not certain, that it may be breaking NAT for
> that network block.

More information about the cisco-nsp mailing list