Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT + RACL - inbound ACLs "access-group ... in" Problem

Hi,

I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5

with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.

The problem: I want to use reflexive ACL's to allow machines on the intranet to only access internet stuff and allow the returning packets!

I followed this guide: http://etutorials.org/Networking/Router+firewall+security/Part+IV+Stateful+and+Advanced+Filtering+Technologies/Chapter+8.+Reflexive+Access+Lists/Overview+of+Reflexive+ACLs/

To have all ACL's processed in hardware I can only use access-group ... in statements.

So I use following configuration:

sh run in Vlan2

interface Vlan2

description IntranetVlan

ip address 10.0.0.1 255.255.255.0

ip access-group intranet_in in

ip nat inside

sh ip access-lists intranet_in

10 deny ip any addrgroup OtherLocalNets

20 permit ip any any reflect intranet_in_racl

30 deny ip any any

sh run in t7/5

interface TenGigabitEthernet7/5

description InternetUplink

ip address 123.123.123.123 255.255.255.252

no ip unreachables

no cdp enable

spanning-tree bpdufilter enable

ip nat outside

ip access-group internet_in in

sh ip access-lists internet_in


10 evaluate intranet_in_racl

[...] permit [...]

200 deny ip any any

Now the problem is that it does not work this way!#

The entries in intranet_in_racl look like this:

permit tcp host 234.234.234.234 eq 80 host 10.0.0.100 eq 43432

If I move the access-list intranet_in into the t7/5 Interface config as

ip access-group intranet_in out

It works - however in software only - slow!

So it seems as if the nat translation is done after the access-group ... in statement on t7/5...

How can I fix this?!

Please help!

Thanks,

Justus

PS: I cannot afford a fwsm module to use ip inspect CBAC rules

1 REPLY
New Member

NAT + RACL - inbound ACLs "access-group ... in" Problem

Could someone from Cisco comment on this, please?

325
Views
0
Helpful
1
Replies
CreatePlease login to create content