cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
8
Replies

What is this access list doing?

nygenxny123
Level 1
Level 1

My question...how can you have a permit on a 10.  and 192 network after you just denied everything?

This is part of a remote WAH users access list........all our internal network are 192.168.x, 10.0.0. or 172.

access-list 110 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.0.0 0.0.255.255 any

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

The first 2 lines restrict private to private subnets (192.168 and 10 net), the third allows 192.168.0.0/16 to go anywhere (like the internet or your 172 space) and the fourth permits the same for the 10.0.0.0/24.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Nygenxy,

I would expect an ACL like this used for NAT:

traffic directed to internal and private addresses is denied (= not translated )

traffic to internet destinations is permitted (= Natted)

This would be used if each remote site has its own internet connection and may be an IPSec tunnel is used over internet connection for reaching HQ.

Hope to help

Giuseppe

interesting poing

I just looked at more of the config..

interface FastEthernet0
description Outside
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn Ciscoreply
service-policy output voip

yeah..it is a tunnel

ip nat inside source list 110 interface FastEthernet0 overload

I also dont see a nat pool configured

So if all traffic is going out F0.....why would we deny traffic to our internal network since it is going out F0?

Jon Marshall
Hall of Fame
Hall of Fame

nygenxny123 wrote:

My question...how can you have a permit on a 10.  and 192 network after you just denied everything?

This is part of a remote WAH users access list........all our internal network are 192.168.x, 10.0.0. or 172.

access-list 110 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.0.0 0.0.255.255 any

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

.how can you have a permit on a 10.  and 192 network after you just denied everything?

You haven't though. You have denied to a specific destination ie. 10.0.0.0/24 and 192.168.0.0/16 in the first 2 lines and then allowed to all other destinations so there is no conflict.

Jon

hmm.

so we have an 1811 router....with an IPSEC tunnel back to an ASA

all traffic internet and intranet gets routed via our network.........no splitt tunneling

and

.so anything going to an external network is natted

I am denying traffic to the 192.168.0.0 and 10.0.0.0 in the first too line.

my questions is than............how does the user..........who gets an ip address as seen below

p dhcp pool client-dhcp-pool
  import all
  network 192.168.157.232 255.255.255.248
  dns-server 10.11.13.212 10.11.13.180
  netbios-name-server 10.11.13.212
  netbios-node-type h-node
  default-router 192.168.157.233

reach an internal network if she is being denied in the first two line........or am I missing the nat all together

WAH#sh  ip nat tra
sondrup#sh  ip nat translations
ro Inside global      Inside local                           Outside local         Outside global
cp 70.xx8.xxx.235:1034 192.168.157.236:1034    208.19.38.xxx:80  208.xx.38.xxx:80
cp 70.xx8.xxx.235:1036 192.168.157.236:1036     69.xx.97.xx:80      69.xx.97.xx:80

Hello Nygenxny123,

as I've explained in my first post what is denied by ACL 110 is not blocked, it is simply not translated when it goes from NAT inside interface to NAT outside interface.

the NAT outside interface is also the interface of the vpn tunnel.

For this reason to avoid NATTING when using the tunnel there are the two deny statements at the beginning.

the sh ip nat translations shows that there are entries of users in net 192.168.157.0 that are natted when they try to access the internet.

So, this remote site has its own internet access. VPN tunnel is used to reach HQ.

There is no NAT pool is true, but  all internal addresses are natted using the public address of the WAN interface = Inside Global.

with overload option PAT is performed (use of TCP ports to multiplex/demultiplex different conversations)

Hope to help

Giuseppe

ok..so

anything destined for an internal address is not nat'd and anything not destined to an internal address is nat'd to the outside interface address

however....since everything is comin from an internal address of 192.168.157.x.....do i really need the last permit statement?


access-list 1 permit 10.10.10.0 0.0.0.255


the reason this came up is becuase we disabled Split Tunnel on our ASA

users were able to bring up the VPN tunnel but were unable to pass traffic.
so cisco said we needed the 2 deny statements added at the beginning of the access list.


So i poked around some other remote user routers and found something odd


for example:

interface FastEthernet0
description Outside
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside

ip nat inside source list 1 interface FastEthernet0 overload
!
!
logging trap debugging
access-list 1 permit 192.168.164.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255


This user has reported no problems, yet from the looks of her access list...she is natting all
traffic to her outside source ip address?  How is she reaching any internal traffic if she
is coming across the network with an external address that she gets from the IP,

yet the user in the first case need to keep his addressing not nat'd??

Jon Marshall
Hall of Fame
Hall of Fame

nygenxny123 wrote:

interesting poing

I just looked at more of the config..

interface FastEthernet0
description Outside
ip address dhcp client-id FastEthernet0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn Ciscoreply
service-policy output voip

ip nat inside source list 110 interface FastEthernet0 overload

then it's as Giuseppe noted. The first 2 lines will not be natted ie. internal traffic or site-to-site VPN traffic and the other lines will be natted.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco