Cisco NAT and Access List

So I have a cisco 2921 router with a security license. We have a static IP for our WAN and and a CIDR block of 16 IP's for some of our servers. I have 2 route-maps set up that have and access-list assigned to them but don't quite understand how this all works. I understand the ACL's for the external WAN coming in to particular servers but not the internal traffic shaping. We have cisco switches with and a total of 5 vlans set up.
10.110.109.0/24
10.110.111.0/24
10.110.112.0/24
10.110.113.0/24

The router is on a 10.110.110.0/24
I really don't understand the 100,101,105 access list and what are they doing. I read cisco's documentation but look for a bit more analysis. attached is a snippet of my router config.
router-snippet.txt
LVL 1
Scott_Smith24Asked:
Who is Participating?
 
Axis52401Security AnalystCommented:
ACL100 is limiting inbound telnet/ssh access and sdm access to the 10.110.110.x subnet only.

ACL101 probably started as an ACL to deny nat between the 10.110.110.x subnet and the 10.110.111.x subnet but then expanded into an allow list which is used elsewhere on the router. In the ASA world its called a nat exemption but in the router world you have to create deny statements for hosts that shouldn't have their ip address nat'ed.

ACL105 seems to be the most restrictive acl.
 - subnet 10.110.110.x cannot talk to 10.110.111.x but it can talk to anyone else.
 - subnet 110 and 112 can talk to whomever

What they are supposed to accomplish all depends on their placement. But it seems like the idea was to use these ACL for the different vlans and restrict what vlans can talk to hte others. Hope that helps.
0
 
Scott_Smith24Author Commented:
So ACL 101 is applied to a route-map nonatme which is set to the external port interface and marked overload. What does that mean?
0
 
Axis52401Security AnalystCommented:
Scott Smith24,

ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload

This nat rule is using NAT Overload which is another name for PAT, Port Address Translation. PAT differs from NAT in that PAT uses ports to keep track of the internal to external translation. PAT allows the internal hosts to share a single external IP address. Each host is assigned a unique port number, this is what actually allows them all to share the same external IP address.

So the above nat rule is saying use PAT and do not nat these hosts. Meaning their internal IP address will remain the same when it leaves the gigabitehternet0/0 interface. So anyhost matching the route-map nonatem will all share the same external Ip address that is assigned to gig0/0. PAT will assign a unique port number to each host so it can keep track of what host is using what resource. I hope that helps.
0
 
Scott_Smith24Author Commented:
Thanks alot for the explination
0
 
emma yemisiCommented:
ip nat inside source route-map nonatme interface GigabitEthernet0/0 overload
     The nat statement above allowed that interface gig0/0 to translate every possible traffic of your LAN OUT/IN
     meaning all your LAN devices using private IP addresses are translated to the IP add of this interface to communicate    
     with outside world.



1. access-list 100 remark VTY Access-class list
2. access-list 100 remark SDM_ACL Category=1
3. access-list 100 permit ip 10.110.110.0 0.0.0.255 any
4. access-list 100 deny   ip any any
The above is as follows:

line 1: says this access-list is for VTY access.
           VTY is a virtual terminal line. assign to IP address for remote access to a particular devices.
line 2: simply says this access is coming from SDM device a GUI remote access

line 3: says allow any ip address from this ip network 10.110.110.0 to 0.0.0.255 to reach any other ip/network withing
            your LAN (10.110.110.1 - 10.110.110.254)
line 4: says deny any other ip address class other than the one specified in line 3 above from getting to this LAN.


As per 101 lists, there are 2 things setup here. NAT and filtering of traffic from host to network and host to host.
the bellow are the NAT translations;
''access-list 101 deny   ip host 10.110.110.21 any
 access-list 101 deny   ip host 10.110.110.18 any
access-list 101 deny   ip host 10.110.110.22 any
access-list 101 deny   ip host 10.110.110.32 any
access-list 101 deny   ip host 10.110.110.36 any
access-list 101 deny   ip host 10.110.110.29 any
access-list 101 deny   ip host 10.110.110.33 any
access-list 101 deny   ip host 10.110.110.19 any
access-list 101 permit ip 10.110.110.0 0.0.0.255 any
access-list 101 permit ip 10.110.112.0 0.0.0.255 any
access-list 101 permit ip 10.110.111.0 0.0.0.255 any
access-list 101 permit ip 10.110.113.0 0.0.0.255 any
access-list 101 permit ip 10.110.114.0 0.0.0.255 any
access-list 105 permit ip 10.110.110.0 0.0.0.255 any
access-list 105 permit ip 10.110.112.0 0.0.0.255 any''


access-list 101 deny   ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
the cli above deny network 110 from accessing network 111 (10.110.110.0/24 - 10.110.111.0/24)

access-list 105 deny   ip 10.110.110.0 0.0.0.255 10.110.111.0 0.0.0.255
this statement is as the one above in 101.


access-list 150 permit ip 10.110.111.0 0.0.0.255 10.110.109.0 0.0.0.255
this one too deny network 111/24 from accessing network 109/24

access-list 150 permit ip 10.110.110.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 110 from network 109

access-list 150 permit ip 10.110.112.0 0.0.0.255 10.110.109.0 0.0.0.255
deny network 102  from accessing network 109
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.