Hi Joseph, you just need to swap the third line of the ACLs:
ip access-list extended permit-phone-service-in permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input permit ip 192.168.0.0 0.0.0.255 any log-input ip access-list extended permit-phone-service-out permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input permit ip any 192.168.0.0 0.0.0.255 log-input Regards, Marc ----- Ursprüngliche Mail ----- > Von: "Joseph Mays" <[email protected]> > An: [email protected] > Gesendet: Freitag, 15. März 2013 21:32:48 > Betreff: Re: [c-nsp] Access lists and NAT > > Whoops. I was working on another issue the last couple of days so > admittedly > haven't been getting as much sleep as I should. I meant to strip the > complete config off the end of the message rather than sending it to > the > list along with the passwords. What I intended to do and what > happened were > two different things. Anyway, passwords have been changed. Getting > back to > the initial question.... > > > I have the following LAN interface, which has two addresses, one of > > which is NATted. > > > > interface FastEthernet0/1 > > ip address 216.24.4.185 255.255.255.248 secondary > > ip address 192.168.0.1 255.255.255.0 > > ip nat inside > > duplex auto > > speed auto > > ! > > ip nat inside source list 50 interface FastEthernet0/0 overload > > > > access-list 50 permit 192.168.0.0 0.0.0.255 > > > > I want to block traffic so that addresses on the 216.24.4.185/29 > > block can only speak to things in the larger 216.24.0.0/18 block. I > > want traffic from the 196.168.0/24 address to be NATted and able to > > go to the world. > > > > I’ve tried a few different access lists, and sets of access lists, > > but I get pretty much the same result whatever I try. If for > > instance, I put > > > > ip access-list extended permit-phone-service-in > > permit ip 216.24.4.184 0.0.0.7 216.24.0.0 0.0.63.255 log-input > > permit ip 216.24.4.184 0.0.0.7 24.235.0.0 0.0.31.255 log-input > > permit ip any 192.168.0.0 0.0.0.255 log-input > > ip access-list extended permit-phone-service-out > > permit ip 216.24.0.0 0.0.63.255 216.24.4.184 0.0.0.7 log-input > > permit ip 24.235.0.0 0.0.31.255 216.24.4.184 0.0.0.7 log-input > > permit ip 192.168.0.0 0.0.0.255 any log-input > > > > And add the lines for those to the interface -- > > > > interface FastEthernet0/1 > > ip address 216.24.4.185 255.255.255.248 secondary > > ip address 192.168.0.1 255.255.255.0 > > ip nat inside > > ip access-group permit-phone-service-out out > > ip access-group permit-phone-service-in in > > duplex auto > > speed auto > > > > Things in the 216.24.4.184/28 network block work fine and as > > desired. > > They still work for 216.24.0.0/18, but are blocked from outside of > > that. > > > > Things in the 192.168.0.0/24 network block stop working completely, > > though. They can no longer get out from those addresses to the > > world. I think, but am not certain, that it may be breaking NAT for > > that network block. > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
