cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
8
Replies

Access List with NAT

arohilla1978
Level 1
Level 1

Hi

I am applying an access-list on an interface of 7200 router which is connected to customer and i have an server on another port which is NATed with customer ip range:

Server--switch--7200 Router---MPLS Cloud--Cust Router

config is as follows:

interface GigabitEthernet0/2

ip address 10.0.3.50 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface GigabitEthernet0/3

ip address 172.31.137.190 255.255.255.252

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

negotiation auto

!

ip nat inside source static 10.0.3.5 10.16.22.18

access-list 101 permit tcp host 172.31.137.189 host 172.31.137.190 eq bgp

access-list 101 permit tcp host 10.16.17.51 host 10.16.22.17 eq 5402

access-list 101 permit icmp host 10.16.17.51 host 10.16.22.17

Now i am able to ping but i am not able to telnet, when i remove ACL then it works fine.

Thanks in advance

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ashish,

if I understand correctly the server is Natted accordingly to the following line

ip nat inside source static 10.0.3.5 10.16.22.18

then on the NAT outside interface you apply the ACL 101:

access-list 101 permit tcp host 172.31.137.189 host 172.31.137.190 eq bgp

access-list 101 permit tcp host 10.16.17.51 host 10.16.22.17 eq 5402

access-list 101 permit icmp host 10.16.17.51 host 10.16.22.17

I'm not sure what you would like to be able to telnet to and from what device.

However, if you want to be able to telnet to the remote router you need a line like

access-list 101 permit tcp host eq 23 host

access-list 101 permit tcp host eq 23 host

this is because the ACL is applied inbound on the NAT outside interface.

the destination should be a Natted address (inside global).

Hope to help

Giuseppe

Hello Giuseppe

Hope you doing good.

See i have a customer to whom i have given connectivity to my LAN through a MPL circuit, now customer has given me a subnet from his private range so that i can nat one of my server on that range. That range is 10.16.22.16/29. Now i have translated my server whos real ip is 10.0.3.18 to a ip 10.16.22.18 out of the above range which customer has given me. My router interface which is connected to MPLS cloud is having ip 172.31.137.190. Now i want only ports which customer access on my server should only be opened, so i did the following configuration. But only BGP session is established and i am not able to connect the customer server butu since i have not applied any outbound ACL i suppose it should work, but dont know why outboung is blocked while i have applied inbound ACL on the interface which is going to customer.

I am sorry for wrong pasting wng ip addresses in config, its 10.16.22.18 and not 10.16.22.17.

interface GigabitEthernet0/2

ip address 10.0.3.50 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

no negotiation auto

!

interface GigabitEthernet0/3

ip address 172.31.137.190 255.255.255.252

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

negotiation auto

ip nat inside source static 10.0.3.5 10.16.22.18

access-list 101 permit tcp host 172.31.137.189 host 172.31.137.190 eq bgp

access-list 101 permit tcp host 10.16.17.51 host 10.16.22.18 eq 5402

access-list 101 permit icmp host 10.16.17.51 host 10.16.22.18

Thanks and Regards

Hello Ashish,

>> but dont know why outboung is blocked while i have applied inbound ACL on the interface which is going to customer

Probably there are other ports used by the application that are not permitted by the inbound ACL.

you could try for testing to use a modified version

access-list 102 permit tcp host 172.31.137.189 host 172.31.137.190 eq bgp

access-list 102 permit tcp host 10.16.17.51 host 10.16.22.18 log

access-list 102 permit icmp host 10.16.17.51 host 10.16.22.18

then look at the log messages on the router itself to find out what TCP ports are used.

If this is not enough add a line for UDP.

Then later, when you know what ports are needed you can implement a correct ACL for your needs

Hope to help

Giuseppe

Dear Giuseppe

When i am trying to telnet 10.16.17.51 on port 5402 i am getting open screen means working when no ACL is applied, but when i apply inbound ACL and try to telnet to ip 10.16.17.51 on port 5402 it is not allowing, so actually at the moment i am not testing with any application, in this simple case it should allow, also i tied enabling logging for ACL but it is not showing me anything when i telnet, which means no inbound traffic coming.

Best Regards

Hi Ashish,

Its not very clear from where (device/IP) are you trying to telnet 10.16.17.51 on port 5402. From what I understand, you are trying this from the 7200 router.

If you see "% Connection refused by remote host" when you telnet to 10.16.17.51 on port 5402, it means that this port is open. However, if you get "% Destination unreachable; gateway or host down" this means that the port is being blocked by an ACL.

Although your ACL is allowing destinaton port 5402 to IP 10.16.22.18 from source 10.16.17.51, the source port would be random which has not been opened.

If this is not the case please provide the details about the source and destination IP and location w.r.t the topology.

HTH,

Vaibhav

ear Vaibabh

ACL which i have applied source in that is 10.16.17.51 and destination is 10.16.22.18 which is my server NAt ip, and i am applying acl for all inbound connection meams if somebody will try to telnet my server i.e. 10.16.22.18 on prt 5402 from 10.16.17.51 then he should be allowed, but here when i am trying to telnet to 10.16.17.51 which is my customers server and my customer has opened telnet from my ip i.e. 10.16.22.18. Now when i remove these ACL then it works fine, but as soon as i apply ACL i am not able to telnet my customer ip which is 10.16.17.51. Now strange thing is that i have not applied any outbound ACL so why i am not able to telnet to my destination i.e. 10.16.17.51.

Hope it is clear now.

Bset Regards

Hello Ashish,

be aware that in an extended ACL the well known port has to be placed in the right position.

so in your case if the well-known port 5402 has to go with ip address 10.16.17.51 your acl statement should be different and rewritten as:

access-list 102 permit tcp host 10.16.17.51 eq 5402 host 10.16.22.18

An extended ACL statement performs a complete classification at OSI Level4 so the position of the TCP port really counts and can make the difference

Hope to help

Giuseppe

Dear Giuseppe

When i am not applying any ACL in outbound direction and only in inbound direction and in that case when i am sending data then no ACL should be acive only when data is coming in not when going out as i have not applied any ACL in outbound position and also there is no return traffic as i am telnetting from inside to outside.

Bst Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco