Link to home
Create AccountLog in
Avatar of totaram
totaramFlag for United States of America

asked on

Cisco NAT Question

PLease look at the NAT stmt below, does the 'deny statement' in access list exempt the packets originating out of 192.168.168.0 subet from NATting or ban (stop) the packets from reaching the
dest '218.71.152.113'?

---
ip nat pool ovrld 218.71.154.19 218.71.154.19 prefix-length 24
ip nat inside source list 175 pool ovrld overload
!        
logging facility local6
access-list 175 deny   ip 192.168.168.0 0.0.0.255 host 218.71.152.113
access-list 175 permit ip 192.168.168.0 0.0.0.255 any
Avatar of sstone55423
sstone55423
Flag of United States of America image

Yes the Access list will deny any IP packets from going outbound to 218.71.152.113

It does not stop NAT, only IP packets from flowing.  Packets with other protocols can still flow to that external IP.
Avatar of Jimmy Larsson, CISSP, CEH
I beg to differ.

That configuration will prevent traffic from 192.168.168.0/24 to the specific 218.-host to be natted. Whether that traffic is permitted un-natted or not cannot be seen from the config lines above.

Best regards
Kvistofta!
Avatar of totaram

ASKER

Someone else told me the same that deny will exempt the NATting..but need to ask one questoin: Afterall, we are sourcing the access-list, and the access-list basically stops or allows the traffic!!
ASKER CERTIFIED SOLUTION
Avatar of Jimmy Larsson, CISSP, CEH
Jimmy Larsson, CISSP, CEH
Flag of Sweden image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of totaram

ASKER

Thanks, that exactly is the issue that we are facing. One way audio..
It is always lame when you give the correct answer and someone hijacks your points.

The access list clearly only blocks IP traffic, not other protocols.  It shows allowing other IP traffic, and it is true that it does not show detail for anyone to know whether other types of traffic are allowed or not.   I suppose one could assume an implicit DENY ALL.

  Also, if traffic goes out, but does not come back in, that would not be a good example of blocking NAT.  They deny rule is oriented towards a type of protocol or traffic, and does not inherently block the process of NAT itself.  Yes the effect is that IP traffic to that specific IP never gets to the point of being NAT'ted.  NaT is not disabled however, it is just that the packets never get to the point of being NAT'ed.  My original answer was correct.
Avatar of totaram

ASKER

sstone55423;
I checked with Cisco VPN engineer via a ticket, and she felt that 'deny' exempts NATting from being performed. Clearly, one needs to have a deny stmt i  access-list for public IP and try the setup, I would try it and let you know.  
There is no doubt that in the config-snippet above deny statements does NAT exempt. As I said before, whether traffic is permitted or not is not visible from the snippet above.

/Kvistofta
Well, of course the NAT is not performed.  My original comment answered the question accurately, that the Access list prevents IP packets from moving forward to NAT.  The access list does not inherently block NAT, it is just that no packets get to the NAT.  It is a matter of wording.  So, I was confused, why if I answered the question firswt, and accurately, why someone else came along and said that they differed with me and then gave the same answer, and yet got the credit.

"Yes the Access list will deny any IP packets from going outbound to 218.71.152.113"
Avatar of totaram

ASKER

OK... Here is the relevant config to setup an IPSEC tunnel with overload to a public IP Address:
When I include the deny stmt in Access list 175, the tunnel & traffic comes down, w/o it everything is
allright, so the main question is When does NATting really take place, it is after the packets have come
back from the remote end ??
---
interface FastEthernet0/0
 ip address 218.71.154.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
 no mop enabled
 crypto map myvpn
 h323-gateway voip interface
!
interface FastEthernet0/1
 ip address 192.168.168.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip default-gateway 218.71.154.254
ip route 0.0.0.0 0.0.0.0 218.71.154.254
!
!
ip http server
no ip http secure-server
ip nat pool ovrld 218.71.154.19 218.71.154.19 prefix-length 24
ip nat inside source list 175 pool ovrld overload
!
access-list 101 permit ip host 218.71.154.19 host 218.71.152.113
access-list 175 permit ip 192.168.168.0 0.0.0.255 any