Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
2
Replies

NAT Deny IP range not matching correctly in ACL

David_Mitchell
Level 1
Level 1

‎02-08-2014 08:05 AM - edited ‎03-04-2019 10:17 PM

Hi all,

Can't believe I am having to ask this but I can't seen to get my head around why this simple task is not working, please help!

I have a simple physical home lab topology R1_SITEA <> ISP <> ISP <> R2_SITE_B

I am trying to NAT all internal subnets from R1 to Web Hosts on the Internet via the ISP.  This works fine, however I also want to exclude the same subnets from being NAT translated when originating from the internal subnets behind R1 to the internal subnets behind R2 at the far end SITE_B.  Sounds simple enough right!

Except when I source from internat subnet 192.168.1.0 /24 to remote internal subnet 192.168.2.0 /24 instead of being denied NAT and then routing down the VPN via the crypto map matched ACL the traffic is missing the deny in the NAT ACL and matching the permit statement after this and hence not hoing on to reach the crypto map but being natted and then dropped by the ISP as you would expect!

I just can't see how this is possible, but the hardware labs never lie......

R1_SITE_A#show access-list
Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 any (4 matches)
Extended IP access list VPN_ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 deny ip any any log


R1_SITE_A#ping 192.168.2.1 source fa0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)

R1_SITE_A#show access-list
Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 any (5 matches)
Extended IP access list VPN_ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 deny ip any any log
R1_SITE_A#

As you can see from the before and after above, I am sourcing from 192.168.1.1 /24 and going to 192.168.2.0 /24 but this is not being matched by the NAT ACL 101 Seq 10 and is instead matching Seq 20 and being NAT translated!

Please note, that the Crypto Map is correct and if I remove the ip nat outside statement from the WAN Ser0/0/0 interface I can route 192.168.1.0 /24 through to 192.168.2.0 /24 via the VPN.

Any help gretely appreciated on this as it's bugging the hell out of me

Thanks in advance

David

PS. R1 Running config attached

Labels:
15375466-NAT.txt.zip
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎02-08-2014 08:25 AM

Hi,

What is puzzling me is that we see only one more hit count on the ACL entry though you sent 5 echo requests.

Can you do this:

access-list 102 permit icmp any 192.168.2.0 0.0.0.255

debug ip packet 102

debug ip nat

do ping 192.168.2.1 source f0/0

and send us the output

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

David_Mitchell
Level 1
Level 1
In response to cadet alain

‎02-08-2014 09:14 AM

Thanks for the quick reply Alain,

I powered the lab back on to try what you suggested and it started working without any config changes.

No idea what caused it but its working now so was probably something to do with R1!

I have the confirmation output below just for perusal:

R1_SITE_A#clear access-li count

R1_SITE_A#show access-list
Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list VPN_ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    20 deny ip any any log
R1_SITE_A#
R1_SITE_A#
R1_SITE_A#
R1_SITE_A#ping 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/84/88 ms
R1_SITE_A#
R1_SITE_A#show crypto isa sa
dst             src             state          conn-id slot status
68.44.44.11     212.181.81.4    QM_IDLE              1    0 ACTIVE

R1_SITE_A#show access-list
Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (5 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list VPN_ACL
    10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 (10 matches)
    20 deny ip any any log
R1_SITE_A#
R1_SITE_A#show crypto map
Crypto Map: "MY-MAP" idb: Serial0/0/0 local address: 212.181.81.4

Crypto Map "MY-MAP" 1 ipsec-isakmp
        Peer = 68.44.44.11
        Extended IP access list VPN_ACL
            access-list VPN_ACL permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
            access-list VPN_ACL deny ip any any
        Current peer: 68.44.44.11
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                MY-TSET,
        }
        Interfaces using crypto map MY-MAP:
                Serial0/0/0

R1_SITE_A#ping 68.44.44.11 source fa0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 68.44.44.11, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
R1_SITE_A#

Thanks again,

David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card