Yeah... I realized later that it is locally generated traffic and I should have used the ip local policy to make it re-enter the router. Thanks to all of you, guys.
Eugene From: Alexei Monastyrnyi [mailto:[email protected]] Sent: Wednesday, June 06, 2012 9:10 PM To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] A question on NAT and ACL on the router Eugene, you cannot catch locally originated traffic with outbound ACL. A good visual example say you have OSPF running between two routers and you deny ospf any any outbound on both of them. It will take no effect. You may have to use a local PBR to drop R6 traffic outbound. Cheers A. On 7 June 2012 10:50, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Guys, I'm scratching my head and think that I forgot something fundamentally basic. There's a router with NAT and ACL applied to the outside interface as follows: BB1 --- (54.1.8.0/24)----<http://54.1.8.0/24)----> R6---(174.1.0.0) | Loopback0(150.1.6.6) ip access-list extended RFC2827-INBOUND deny ip 174.1.0.0 0.0.255.255 any log deny ip 150.1.0.0 0.0.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log permit ip any any ip access-list extended RFC2827-OUTBOUND permit ip 174.1.0.0 0.0.255.255 any permit ip 150.1.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.255 any deny ip any any log ip access-list extended NAT-ACL permit ip 150.1.0.0 0.0.255.255 any Interface loopback0 ip address 150.1.6.6 255.255.255.0 ip nat inside interface Ser0/0/0 ip address 54.1.8.6 255.255.255.0 ip nat outside ip access-group RFC2827-OUTBOUND out ip access-group RFC2827-INBOUND in ip nat pool NAT-POOL 192.168.1.50 192.168.1.50 prefix-length 24 ip nat inside source list NAT-ACL pool NAT-POOL overload I'm leaving off all routing sections for brevity. What I don't understand is why I'm able to reach BB1 if I ping it from R6 sourcing from loopback0. The router R6 makes a translation from 150.1.6.6 to 192.168.1.50 R6(config)#do sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 192.168.1.50:31<http://192.168.1.50:31/> 150.1.6.6:31<http://150.1.6.6:31/> 54.1.8.254:31<http://54.1.8.254:31/> 54.1.8.254:31<http://54.1.8.254:31/> Then according to packets processing order I'd assume the outgoing ACL (RFC2827-OUTBOUND ) will kick in and drop the packet that originates from 192.168.1.51 It doesn't happen and the return packet hits RFC2827-INBOUND ACL and gets permitted. Thus my ping to BB1 is successful. What am I missing ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.platinumplacement.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
