Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL doesn't match packets for NAT purpose

Hi, I cannot understand why ACL does't  match packets from PCs 192.168.8.2 or 192.168.8.3, but it matches 192.168.8.1(fa0/1).

In Wiresahrk I see source 192.168.8.2 when I run ping 192.168.176.58 from 192.168.8.2. However, it must be 213.70.2.2

By the way, I tried to set static NAT that worked fine, but it is not what I want.


interface FastEthernet0/0
 ip address 213.70.2.2 255.255.255.252
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.8.1 255.255.248.0
 ip nat inside
 duplex auto
 speed auto
!

ip nat pool pool1 213.70.2.2 213.70.2.2 netmask 255.255.255.252
ip nat inside source list 1 pool pool1 overload
!
access-list 1 permit 192.168.8.0 0.0.7.255 log

 

Router#ping 192.168.176.58 source 192.168.8.1

Router#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:4      192.168.8.1:4      192.168.176.58:4   192.168.176.58:4
Router#


Router#trace 192.168.176.58 source 192.168.8.1

Type escape sequence to abort.
Tracing the route to 192.168.176.58

  1 213.70.2.1 0 msec 0 msec 4 msec
  2 192.168.176.58 0 msec 0 msec 4 msec
Router#

 

 

 

4 REPLIES
Cisco Employee

Try using a named standard

Try using a named standard access list instead.

Your example converted

ip nat inside source list nat-source pool pool1 overload
ip access-list standard nat-source
 permit 192.168.8.0 0.0.7.255

My output

Pro Inside global      Inside local       Outside local      Outside global
icmp 213.70.2.2:24     192.168.8.2:24     213.70.2.1:24      213.70.2.1:24
icmp 213.70.2.2:25     192.168.9.1:25     213.70.2.1:25      213.70.2.1:25

Additional 

if you only want to use the interface address, consider the following instead:

   ip nat inside source list nat-source interface fa0/0

New Member

thanks!However, I managed to

thanks!

However, I managed to do this in this way:

ip nat pool pool213 213.70.2.2 213.70.2.2 prefix-length 30

ip nat inside source route-map isp1 pool pool213 overload

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

route-map isp1 permit 10
 match ip address 101
 match interface FastEthernet0/0

 

It is pretty weird, but thanks god it works.

Hi,I do agree with Dasthomp,

Hi,

I do agree with Dasthomp, log keyword is not supported with nat acl, if you revert your original configuration back by removing the log keyword at the end of acl 1 you will be good to go.

Regards | Aref.

Cisco Employee

Last I check the use of the

Last I check the use of the 'log' statement is not supported with NAT.

90
Views
5
Helpful
4
Replies