Scott_Smith24
asked on
Cisco NAT and Access List
So I have a cisco 2921 router with a security license. We have a static IP for our WAN and and a CIDR block of 16 IP's for some of our servers. I have 2 route-maps set up that have and access-list assigned to them but don't quite understand how this all works. I understand the ACL's for the external WAN coming in to particular servers but not the internal traffic shaping. We have cisco switches with and a total of 5 vlans set up.
10.110.109.0/24
10.110.111.0/24
10.110.112.0/24
10.110.113.0/24
The router is on a 10.110.110.0/24
I really don't understand the 100,101,105 access list and what are they doing. I read cisco's documentation but look for a bit more analysis. attached is a snippet of my router config.
router-snippet.txt
10.110.109.0/24
10.110.111.0/24
10.110.112.0/24
10.110.113.0/24
The router is on a 10.110.110.0/24
I really don't understand the 100,101,105 access list and what are they doing. I read cisco's documentation but look for a bit more analysis. attached is a snippet of my router config.
router-snippet.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Scott Smith24,
ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload
This nat rule is using NAT Overload which is another name for PAT, Port Address Translation. PAT differs from NAT in that PAT uses ports to keep track of the internal to external translation. PAT allows the internal hosts to share a single external IP address. Each host is assigned a unique port number, this is what actually allows them all to share the same external IP address.
So the above nat rule is saying use PAT and do not nat these hosts. Meaning their internal IP address will remain the same when it leaves the gigabitehternet0/0 interface. So anyhost matching the route-map nonatem will all share the same external Ip address that is assigned to gig0/0. PAT will assign a unique port number to each host so it can keep track of what host is using what resource. I hope that helps.
ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload
This nat rule is using NAT Overload which is another name for PAT, Port Address Translation. PAT differs from NAT in that PAT uses ports to keep track of the internal to external translation. PAT allows the internal hosts to share a single external IP address. Each host is assigned a unique port number, this is what actually allows them all to share the same external IP address.
So the above nat rule is saying use PAT and do not nat these hosts. Meaning their internal IP address will remain the same when it leaves the gigabitehternet0/0 interface. So anyhost matching the route-map nonatem will all share the same external Ip address that is assigned to gig0/0. PAT will assign a unique port number to each host so it can keep track of what host is using what resource. I hope that helps.
ASKER
Thanks alot for the explination
ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload
The nat statement above allowed that interface gig0/0 to translate every possible traffic of your LAN OUT/IN
meaning all your LAN devices using private IP addresses are translated to the IP add of this interface to communicate
with outside world.
1. access-list 100 remark VTY Access-class list
2. access-list 100 remark SDM_ACL Category=1
3. access-list 100 permit ip 10.110.110.0 0.0.0.255 any
4. access-list 100 deny ip any any
The above is as follows:
line 1: says this access-list is for VTY access.
VTY is a virtual terminal line. assign to IP address for remote access to a particular devices.
line 2: simply says this access is coming from SDM device a GUI remote access
line 3: says allow any ip address from this ip network 10.110.110.0 to 0.0.0.255 to reach any other ip/network withing
your LAN (10.110.110.1 - 10.110.110.254)
line 4: says deny any other ip address class other than the one specified in line 3 above from getting to this LAN.
As per 101 lists, there are 2 things setup here. NAT and filtering of traffic from host to network and host to host.
the bellow are the NAT translations;
''access-list 101 deny ip host 10.110.110.21 any
access-list 101 deny ip host 10.110.110.18 any
access-list 101 deny ip host 10.110.110.22 any
access-list 101 deny ip host 10.110.110.32 any
access-list 101 deny ip host 10.110.110.36 any
access-list 101 deny ip host 10.110.110.29 any
access-list 101 deny ip host 10.110.110.33 any
access-list 101 deny ip host 10.110.110.19 any
access-list 101 permit ip 10.110.110.0 0.0.0.255 any
access-list 101 permit ip 10.110.112.0 0.0.0.255 any
access-list 101 permit ip 10.110.111.0 0.0.0.255 any
access-list 101 permit ip 10.110.113.0 0.0.0.255 any
access-list 101 permit ip 10.110.114.0 0.0.0.255 any
access-list 105 permit ip 10.110.110.0 0.0.0.255 any
access-list 105 permit ip 10.110.112.0 0.0.0.255 any''
access-list 101 deny ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
the cli above deny network 110 from accessing network 111 (10.110.110.0/24 - 10.110.111.0/24)
access-list 105 deny ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
this statement is as the one above in 101.
access-list 150 permit ip 10.110.111.0 0.0.0.255 10.110.109.0 0.0.0.255
this one too deny network 111/24 from accessing network 109/24
access-list 150 permit ip 10.110.110.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 110 from network 109
access-list 150 permit ip 10.110.112.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 102 from accessing network 109
The nat statement above allowed that interface gig0/0 to translate every possible traffic of your LAN OUT/IN
meaning all your LAN devices using private IP addresses are translated to the IP add of this interface to communicate
with outside world.
1. access-list 100 remark VTY Access-class list
2. access-list 100 remark SDM_ACL Category=1
3. access-list 100 permit ip 10.110.110.0 0.0.0.255 any
4. access-list 100 deny ip any any
The above is as follows:
line 1: says this access-list is for VTY access.
VTY is a virtual terminal line. assign to IP address for remote access to a particular devices.
line 2: simply says this access is coming from SDM device a GUI remote access
line 3: says allow any ip address from this ip network 10.110.110.0 to 0.0.0.255 to reach any other ip/network withing
your LAN (10.110.110.1 - 10.110.110.254)
line 4: says deny any other ip address class other than the one specified in line 3 above from getting to this LAN.
As per 101 lists, there are 2 things setup here. NAT and filtering of traffic from host to network and host to host.
the bellow are the NAT translations;
''access-list 101 deny ip host 10.110.110.21 any
access-list 101 deny ip host 10.110.110.18 any
access-list 101 deny ip host 10.110.110.22 any
access-list 101 deny ip host 10.110.110.32 any
access-list 101 deny ip host 10.110.110.36 any
access-list 101 deny ip host 10.110.110.29 any
access-list 101 deny ip host 10.110.110.33 any
access-list 101 deny ip host 10.110.110.19 any
access-list 101 permit ip 10.110.110.0 0.0.0.255 any
access-list 101 permit ip 10.110.112.0 0.0.0.255 any
access-list 101 permit ip 10.110.111.0 0.0.0.255 any
access-list 101 permit ip 10.110.113.0 0.0.0.255 any
access-list 101 permit ip 10.110.114.0 0.0.0.255 any
access-list 105 permit ip 10.110.110.0 0.0.0.255 any
access-list 105 permit ip 10.110.112.0 0.0.0.255 any''
access-list 101 deny ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
the cli above deny network 110 from accessing network 111 (10.110.110.0/24 - 10.110.111.0/24)
access-list 105 deny ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
this statement is as the one above in 101.
access-list 150 permit ip 10.110.111.0 0.0.0.255 10.110.109.0 0.0.0.255
this one too deny network 111/24 from accessing network 109/24
access-list 150 permit ip 10.110.110.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 110 from network 109
access-list 150 permit ip 10.110.112.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 102 from accessing network 109
ASKER