I have the following LAN interface, which has two addresses, one of which is NATted.
interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload access-list 50 permit 192.168.0.0 0.0.0.255 I want to block traffic so that addresses on the 216.24.4.185/29 block can only speak to things in the larger 216.24.0.0/18 block. I want traffic from the 196.168.0/24 address to be NATted and able to go to the world. I’ve tried a few different access lists, and sets of access lists, but I get pretty much the same result whatever I try. If for instance, I put ip access-list extended permit-phone-service-in permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input permit ip any 192.168.0.0 0.0.0.255 log-input ip access-list extended permit-phone-service-out permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input permit ip 192.168.0.0 0.0.0.255 any log-input And add the lines for those to the interface -- interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside ip access-group permit-phone-service-out out ip access-group permit-phone-service-in in duplex auto speed auto Things in the 216.24.4.184/28 network block work fine and as desired. They still work for 216.24.0.0/18, but are blocked from outside of that. Things in the 192.168.0.0/24 network block stop working completely, though. They can no longer get out from those addresses to the world. I think, but am not certain, that it may be breaking NAT for that network block. HBMgmtOffice#show run Building configuration... Current configuration : 1499 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HBMgmtOffice ! boot-start-marker boot-end-marker ! enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa accounting delay-start aaa session-id common ip subnet-zero ip cef ! ! ip name-server 216.24.27.3 no ip dhcp conflict logging ip dhcp excluded-address 192.168.0.150 192.168.0.255 ip dhcp excluded-address 192.168.0.0 192.168.0.50 ! ip dhcp pool edge-dhcp-pool network 192.168.0.0 255.255.255.0 dns-server 216.24.27.3 default-router 192.168.0.1 ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username admin password 7 094E5B0E0A0302160F ! ! ! ! ! ! interface FastEthernet0/0 ip address 216.24.2.30 255.255.255.252 no ip proxy-arp ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! ! access-list 20 permit 216.24.27.0 0.0.0.255 access-list 50 permit 192.168.0.0 0.0.0.255 ! snmp-server community wini4q5cust RO 20 snmp-server community mmn3gv5h RW 20 snmp-server tftp-server-list 20 ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! HBMgmtOffice#config t Enter configuration commands, one per line. End with CNTL/Z. HBMgmtOffice(config)#ip access-list extended permit-phone-service-in HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 216.24.0.0 0.0.63.255 log-input HBMgmtOffice(config-ext-nacl)#$84 0.0.0.7 24.235.0.0 0.0.31.255 log-input HBMgmtOffice(config-ext-nacl)# permit ip any 192.168.0.0 0.0.0.255 log-input HBMgmtOffice(config-ext-nacl)#$ist extended permit-phone-service-out HBMgmtOffice(config-ext-nacl)#$ 0.0.63.255 216.24.4.184 0.0.0.7 log-input HBMgmtOffice(config-ext-nacl)#$ 0.0.31.255 216.24.4.184 0.0.0.7 log-input HBMgmtOffice(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 any log-input HBMgmtOffice(config-ext-nacl)# HBMgmtOffice(config-ext-nacl)# HBMgmtOffice(config-ext-nacl)#exit HBMgmtOffice(config)#exit HBMgmtOffice#write mem Building configuration... [OK] HBMgmtOffice#Connection closed by foreign host. admin1> telnet 216.24.2.30 Trying 216.24.2.30... Connected to 216-24-2-30.ip.win.net. Escape character is '^]'. User Access Verification Username: admin Password: HBMgmtOffice>enable Password: HBMgmtOffice# HBMgmtOffice# HBMgmtOffice# HBMgmtOffice#show run Building configuration... Current configuration : 1948 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HBMgmtOffice ! boot-start-marker boot-end-marker ! enable secret 5 $1$a.yY$AyH/z0cGnCoai.UL5i7Rw0 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa accounting delay-start aaa session-id common ip subnet-zero ip cef ! ! ip name-server 216.24.27.3 no ip dhcp conflict logging ip dhcp excluded-address 192.168.0.150 192.168.0.255 ip dhcp excluded-address 192.168.0.0 192.168.0.50 ! ip dhcp pool edge-dhcp-pool network 192.168.0.0 255.255.255.0 dns-server 216.24.27.3 default-router 192.168.0.1 ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username admin password 7 094E5B0E0A0302160F ! ! ! ! ! ! interface FastEthernet0/0 ip address 216.24.2.30 255.255.255.252 no ip proxy-arp ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 216.24.4.185 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip nat inside source list 50 interface FastEthernet0/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ! ! ! ip access-list extended permit-phone-service-in permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input permit ip any 192.168.0.0 0.0.0.255 log-input ip access-list extended permit-phone-service-out permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input permit ip 192.168.0.0 0.0.0.255 any log-input access-list 20 permit 216.24.27.0 0.0.0.255 access-list 50 permit 192.168.0.0 0.0.0.255 ! snmp-server community wini4q5cust RO 20 snmp-server community mmn3gv5h RW 20 snmp-server tftp-server-list 20 ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end HBMgmtOffice# _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
