[c-nsp] Access lists and NAT

Marc Redeker marc.redeker at keronet.de
Fri Mar 15 16:54:36 EDT 2013


Hi Joseph,

you just need to swap the third line of the ACLs:

ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input

ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input


Regards,
Marc

----- Ursprüngliche Mail -----
> Von: "Joseph Mays" <mays at win.net>
> An: cisco-nsp at puck.nether.net
> Gesendet: Freitag, 15. März 2013 21:32:48
> Betreff: Re: [c-nsp] Access lists and NAT
> 
> Whoops. I was working on another issue the last couple of days so
> admittedly
> haven't been getting as much sleep as I should. I meant to strip the
> complete config off the end of the message rather than sending it to
> the
> list along with the passwords. What I intended to do and what
> happened were
> two different things. Anyway, passwords have been changed. Getting
> back to
> the initial question....
> 
> > I have the following LAN interface, which has two addresses, one of
> > which is NATted.
> >
> > interface FastEthernet0/1
> > ip address 216.24.4.185 255.255.255.248 secondary
> > ip address 192.168.0.1 255.255.255.0
> > ip nat inside
> > duplex auto
> > speed auto
> > !
> > ip nat inside source list 50 interface FastEthernet0/0 overload
> >
> > access-list 50 permit 192.168.0.0 0.0.0.255
> >
> > I want to block traffic so that addresses on the 216.24.4.185/29
> > block can only speak to things in the larger 216.24.0.0/18 block. I
> > want traffic from the 196.168.0/24 address to be NATted and able to
> > go to the world.
> >
> > I’ve tried a few different access lists, and sets of access lists,
> > but I get pretty much the same result whatever I try. If for
> > instance, I put
> >
> > ip access-list extended permit-phone-service-in
> > permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
> > permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
> > permit ip any 192.168.0.0 0.0.0.255 log-input
> > ip access-list extended permit-phone-service-out
> > permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
> > permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
> > permit ip 192.168.0.0 0.0.0.255 any log-input
> >
> > And add the lines for those to the interface --
> >
> > interface FastEthernet0/1
> > ip address 216.24.4.185 255.255.255.248 secondary
> > ip address 192.168.0.1 255.255.255.0
> > ip nat inside
> > ip access-group permit-phone-service-out out
> > ip access-group permit-phone-service-in in
> > duplex auto
> > speed auto
> >
> > Things in the 216.24.4.184/28 network block work fine and as
> > desired.
> > They still work for 216.24.0.0/18, but are blocked from outside of
> > that.
> >
> > Things in the 192.168.0.0/24 network block stop working completely,
> > though. They can no longer get out from those addresses to the
> > world. I think, but am not certain, that it may be breaking NAT for
> > that network block.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list