Guys,
I'm scratching my head and think that I forgot something fundamentally basic.
There's a router with NAT and ACL applied to the outside interface as follows:
BB1 --- (54.1.8.0/24)---- R6---(174.1.0.0)
|
Loopback0(150.1.6.6)
ip access-list extended RFC2827-INBOUND
deny ip 174.1.0.0 0.0.255.255 any log
deny ip 150.1.0.0 0.0.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
permit ip any any
ip access-list extended RFC2827-OUTBOUND
permit ip 174.1.0.0 0.0.255.255 any
permit ip 150.1.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any log
ip access-list extended NAT-ACL
permit ip 150.1.0.0 0.0.255.255 any
Interface loopback0
ip address 150.1.6.6 255.255.255.0
ip nat inside
interface Ser0/0/0
ip address 54.1.8.6 255.255.255.0
ip nat outside
ip access-group RFC2827-OUTBOUND out
ip access-group RFC2827-INBOUND in
ip nat pool NAT-POOL 192.168.1.50 192.168.1.50 prefix-length 24
ip nat inside source list NAT-ACL pool NAT-POOL overload
I'm leaving off all routing sections for brevity.
What I don't understand is why I'm able to reach BB1 if I ping it from R6
sourcing from loopback0.
The router R6 makes a translation from 150.1.6.6 to 192.168.1.50
R6(config)#do sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.50:31 150.1.6.6:31 54.1.8.254:31 54.1.8.254:31
Then according to packets processing order I'd assume the outgoing ACL
(RFC2827-OUTBOUND ) will kick in and drop the packet that originates from
192.168.1.51
It doesn't happen and the return packet hits RFC2827-INBOUND ACL and gets
permitted. Thus my ping to BB1 is successful. What am I missing ?
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
