Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT + RACL - inbound ACLs "access-group ... in" Problem


I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5

with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.

The problem: I want to use reflexive ACL's to allow machines on the intranet to only access internet stuff and allow the returning packets!

I followed this guide:

To have all ACL's processed in hardware I can only use access-group ... in statements.

So I use following configuration:

sh run in Vlan2

interface Vlan2

description IntranetVlan

ip address

ip access-group intranet_in in

ip nat inside

sh ip access-lists intranet_in

10 deny ip any addrgroup OtherLocalNets

20 permit ip any any reflect intranet_in_racl

30 deny ip any any

sh run in t7/5

interface TenGigabitEthernet7/5

description InternetUplink

ip address

no ip unreachables

no cdp enable

spanning-tree bpdufilter enable

ip nat outside

ip access-group internet_in in

sh ip access-lists internet_in

10 evaluate intranet_in_racl

[...] permit [...]

200 deny ip any any

Now the problem is that it does not work this way!#

The entries in intranet_in_racl look like this:

permit tcp host eq 80 host eq 43432

If I move the access-list intranet_in into the t7/5 Interface config as

ip access-group intranet_in out

It works - however in software only - slow!

So it seems as if the nat translation is done after the access-group ... in statement on t7/5...

How can I fix this?!

Please help!



PS: I cannot afford a fwsm module to use ip inspect CBAC rules

New Member

NAT + RACL - inbound ACLs "access-group ... in" Problem

Could someone from Cisco comment on this, please?

CreatePlease login to create content