Re: [c-nsp] Access lists and NAT

Fri, 15 Mar 2013 13:36:01 -0700

Whoops. I was working on another issue the last couple of days so admittedly haven't been getting as much sleep as I should. I meant to strip the complete config off the end of the message rather than sending it to the list along with the passwords. What I intended to do and what happened were two different things. Anyway, passwords have been changed. Getting back to the initial question.... 


I have the following LAN interface, which has two addresses, one of
which is NATted.

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 50 interface FastEthernet0/0 overload

access-list 50 permit 192.168.0.0 0.0.0.255

I want to block traffic so that addresses on the 216.24.4.185/29
block can only speak to things in the larger 216.24.0.0/18 block. I
want traffic from the 196.168.0/24 address to be NATted and able to
go to the world.

I’ve tried a few different access lists, and sets of access lists,
but I get pretty much the same result whatever I try. If for
instance, I put

ip access-list extended permit-phone-service-in
permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input
permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input
permit ip any 192.168.0.0 0.0.0.255 log-input
ip access-list extended permit-phone-service-out
permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input
permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input
permit ip 192.168.0.0 0.0.0.255 any log-input

And add the lines for those to the interface --

interface FastEthernet0/1
ip address 216.24.4.185 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group permit-phone-service-out out
ip access-group permit-phone-service-in in
duplex auto
speed auto

Things in the 216.24.4.184/28 network block work fine and as desired.
They still work for 216.24.0.0/18, but are blocked from outside of
that.

Things in the 192.168.0.0/24 network block stop working completely,
though. They can no longer get out from those addresses to the
world. I think, but am not certain, that it may be breaking NAT for
that network block.



_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to