12-03-2008 09:33 PM - edited 03-04-2019 12:35 AM
Originally I have such topology:
WLAN Client---WLAN Controller----6509 Switch----6509 Switch---FW and Router----Internet
The WLAN clients are assigned IP addresses 172.27.0.0/16 and the NAT is done on the first 6509 switch connecting to the WLAN controller, the inside interface connecting to the WLAN controller is configured as below.
!
interface Vlan812
description ADMIN-WLAN-Controller
ip address 192.168.210.21 255.255.255.240
no ip redirects
ip nat inside
standby 1 ip 192.168.210.30
standby 1 priority 120
!
and the NAT configuration is shown below:
!
ip nat pool pool-ADMIN2 11.11.18.1 11.11.18.252 prefix-length 24
ip nat inside source route-map MAP-ADMIN2 pool pool-ADMIN2
!
ip access-list extended WLAN-ADMIN2
deny ip 172.27.0.0 0.0.255.255 11.11.0.0 0.0.255.255
deny tcp 172.27.0.0 0.0.255.255 any eq www
deny ip 172.27.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 172.27.0.0 0.0.255.255 172.16.0.0 0.15.255.255
deny ip 172.27.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 172.27.0.0 0.0.255.255 any log
!
route-map MAP-ADMIN2 permit 10
match ip address WLAN-ADMIN2
!
With the following configuration, some wierd thing happens that only TCP traffic is translated but not the UDP traffic, this causes some applications which are relying on UDP fail to work.
ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp
More interesting thing is observed that after the following configuration the UDP is now translated and the application start to work:
ADMIN2#config t
Enter configuration commands, one per line. End with CNTL/Z.
ADMIN2(config)#ip acce
ADMIN2(config)#ip access-list ex
ADMIN2(config)#ip access-list extended test812.in
ADMIN2(config-ext-nacl)#permit ip any any
ADMIN2(config-ext-nacl)#int vlan 812
ADMIN2(config-if)#ip acce
ADMIN2(config-if)#ip access-group test812.in in
ADMIN2(config-if)#end
ADMIN2#sh ip int vlan 812
<Truncated>
Outgoing access list is not set
Inbound access list is test812.in
<Truncated>
ADMIN2#sh ip access test812.in
Extended IP access list test812.in
permit ip any any (23 matches)
ADMIN2(config)#ip access-list ex test812.in
ADMIN2(config-ext-nacl)#permit ip any any ref REF
ADMIN2(config-ext-nacl)#no permit ip any any
ADMIN2(config-ext-nacl)#do sh ip access test812.in
Extended IP access list test812.in
permit ip any any reflect REF (4 matches)
ADMIN2# sh ip nat tran | in udp
udp 11.11.18.9:3450 172.27.72.242:3450 63.210.157.46:13001 63.210.157.46:13001
udp 11.11.18.9:22860 172.27.72.242:22860 64.127.123.234:14280 64.127.123.234:14280
udp 11.11.18.9:22861 172.27.72.242:22861 64.127.123.234:14281 64.127.123.234:14281
udp 11.11.18.9:3450 172.27.72.242:3450 216.82.21.250:13001 216.82.21.250:13001
udp 11.11.18.9:3450 172.27.72.242:3450 8.2.35.16:13000 8.2.35.16:13000
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22861 172.27.72.242:22861 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.103:3478 70.42.62.103:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.103:3478 70.42.62.103:3478
udp 11.11.18.9:22891 172.27.72.242:22891 70.42.62.102:3478 70.42.62.102:3478
Anybody can help me one explaining the difference between no access list, "permit ip any any" and "permit ip any any ref REF" when only ingress ACL is applied? Thanks.
12-04-2008 12:37 AM
Hello Mengdi,
usually when the behaviour changes when an ACL is applied this leads to a CEF issue: the application of an ACL that permits everything triggers the creation of new CEF entries that are used instead of the previous ones.
However, your scenario is rather complex so this is just a first impression.
If I understand correctly with the application of the normal ACL and also with the reflexive acl you see UDP entries in the NAT translation table
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: