Single direction reflexive ACL affecting NAT?

xianglingzj · ‎12-03-2008

Originally I have such topology:

WLAN Client---WLAN Controller----6509 Switch----6509 Switch---FW and Router----Internet

The WLAN clients are assigned IP addresses 172.27.0.0/16 and the NAT is done on the first 6509 switch connecting to the WLAN controller, the inside interface connecting to the WLAN controller is configured as below.

!

interface Vlan812

description ADMIN-WLAN-Controller

ip address 192.168.210.21 255.255.255.240

no ip redirects

ip nat inside

standby 1 ip 192.168.210.30

standby 1 priority 120

!

and the NAT configuration is shown below:

!

ip nat pool pool-ADMIN2 11.11.18.1 11.11.18.252 prefix-length 24

ip nat inside source route-map MAP-ADMIN2 pool pool-ADMIN2

!

ip access-list extended WLAN-ADMIN2

deny ip 172.27.0.0 0.0.255.255 11.11.0.0 0.0.255.255

deny tcp 172.27.0.0 0.0.255.255 any eq www

deny ip 172.27.0.0 0.0.255.255 192.168.0.0 0.0.255.255

deny ip 172.27.0.0 0.0.255.255 172.16.0.0 0.15.255.255

deny ip 172.27.0.0 0.0.255.255 10.0.0.0 0.255.255.255

permit ip 172.27.0.0 0.0.255.255 any log

!

route-map MAP-ADMIN2 permit 10

match ip address WLAN-ADMIN2

!

With the following configuration, some wierd thing happens that only TCP traffic is translated but not the UDP traffic, this causes some applications which are relying on UDP fail to work.

ADMIN2#sh ip nat tran | in udp

More interesting thing is observed that after the following configuration the UDP is now translated and the application start to work:

ADMIN2#config t

Enter configuration commands, one per line. End with CNTL/Z.

ADMIN2(config)#ip acce

ADMIN2(config)#ip access-list ex

ADMIN2(config)#ip access-list extended test812.in

ADMIN2(config-ext-nacl)#permit ip any any

ADMIN2(config-ext-nacl)#int vlan 812

ADMIN2(config-if)#ip acce

ADMIN2(config-if)#ip access-group test812.in in

ADMIN2(config-if)#end

ADMIN2#sh ip int vlan 812

Outgoing access list is not set

Inbound access list is test812.in

ADMIN2#sh ip access test812.in

Extended IP access list test812.in

permit ip any any (23 matches)

ADMIN2(config)#ip access-list ex test812.in

ADMIN2(config-ext-nacl)#permit ip any any ref REF

ADMIN2(config-ext-nacl)#no permit ip any any

ADMIN2(config-ext-nacl)#do sh ip access test812.in

Extended IP access list test812.in

permit ip any any reflect REF (4 matches)

ADMIN2# sh ip nat tran | in udp

udp 11.11.18.9:3450 172.27.72.242:3450 63.210.157.46:13001 63.210.157.46:13001

udp 11.11.18.9:22860 172.27.72.242:22860 64.127.123.234:14280 64.127.123.234:14280

udp 11.11.18.9:22861 172.27.72.242:22861 64.127.123.234:14281 64.127.123.234:14281

udp 11.11.18.9:3450 172.27.72.242:3450 216.82.21.250:13001 216.82.21.250:13001

udp 11.11.18.9:3450 172.27.72.242:3450 8.2.35.16:13000 8.2.35.16:13000

udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.102:3478 70.42.62.102:3478

udp 11.11.18.9:22861 172.27.72.242:22861 70.42.62.102:3478 70.42.62.102:3478

udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.103:3478 70.42.62.103:3478

udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.102:3478 70.42.62.102:3478

udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.103:3478 70.42.62.103:3478

udp 11.11.18.9:22891 172.27.72.242:22891 70.42.62.102:3478 70.42.62.102:3478

Anybody can help me one explaining the difference between no access list, "permit ip any any" and "permit ip any any ref REF" when only ingress ACL is applied? Thanks.

Giuseppe Larosa · ‎12-04-2008

Hello Mengdi,

usually when the behaviour changes when an ACL is applied this leads to a CEF issue: the application of an ACL that permits everything triggers the creation of new CEF entries that are used instead of the previous ones.

However, your scenario is rather complex so this is just a first impression.

If I understand correctly with the application of the normal ACL and also with the reflexive acl you see UDP entries in the NAT translation table

Hope to help

Giuseppe