Eugene, you cannot catch locally originated traffic with outbound ACL. A good visual example say you have OSPF running between two routers and you deny ospf any any outbound on both of them. It will take no effect.
You may have to use a local PBR to drop R6 traffic outbound. Cheers A. On 7 June 2012 10:50, Eugene Pefti <[email protected]> wrote: > Guys, > I'm scratching my head and think that I forgot something fundamentally > basic. > There's a router with NAT and ACL applied to the outside interface as > follows: > > BB1 --- (54.1.8.0/24)---- R6---(174.1.0.0) > | > Loopback0(150.1.6.6) > > ip access-list extended RFC2827-INBOUND > deny ip 174.1.0.0 0.0.255.255 any log > deny ip 150.1.0.0 0.0.255.255 any log > deny ip 10.0.0.0 0.255.255.255 any log > permit ip any any > > ip access-list extended RFC2827-OUTBOUND > permit ip 174.1.0.0 0.0.255.255 any > permit ip 150.1.0.0 0.0.255.255 any > permit ip 10.0.0.0 0.0.0.255 any > deny ip any any log > > ip access-list extended NAT-ACL > permit ip 150.1.0.0 0.0.255.255 any > > Interface loopback0 > ip address 150.1.6.6 255.255.255.0 > ip nat inside > > interface Ser0/0/0 > ip address 54.1.8.6 255.255.255.0 > ip nat outside > ip access-group RFC2827-OUTBOUND out > ip access-group RFC2827-INBOUND in > > ip nat pool NAT-POOL 192.168.1.50 192.168.1.50 prefix-length 24 > ip nat inside source list NAT-ACL pool NAT-POOL overload > > I'm leaving off all routing sections for brevity. > > What I don't understand is why I'm able to reach BB1 if I ping it from R6 > sourcing from loopback0. > The router R6 makes a translation from 150.1.6.6 to 192.168.1.50 > > R6(config)#do sh ip nat trans > Pro Inside global Inside local Outside local Outside global > icmp 192.168.1.50:31 150.1.6.6:31 54.1.8.254:31 54.1.8.254:31 > > Then according to packets processing order I'd assume the outgoing ACL > (RFC2827-OUTBOUND ) will kick in and drop the packet that originates from > 192.168.1.51 > It doesn't happen and the return packet hits RFC2827-INBOUND ACL and gets > permitted. Thus my ping to BB1 is successful. What am I missing ? > > Eugene > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
