ACL not working

Juan Pineiro
Juan Pineiro used Ask the Experts™
on
So I created an ACL and I put in on int g0/0 out

Not sure if the config is correct..

R0NWGS#sh run
Building configuration...

Current configuration : 3610 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
ip dhcp excluded-address 192.168.2.1 192.168.2.15
ip dhcp excluded-address 192.168.3.1 192.168.3.15
ip dhcp excluded-address 192.168.4.1 192.168.4.15
ip dhcp excluded-address 192.168.6.1 192.168.6.15
ip dhcp excluded-address 192.168.7.1 192.168.7.15
ip dhcp excluded-address 192.168.5.1 192.168.5.15
!
ip dhcp pool hr
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 192.168.2.5
ip dhcp pool acc
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 192.168.2.5
ip dhcp pool market
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 192.168.2.5
ip dhcp pool SHIP
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 192.168.2.5
ip dhcp pool network
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.1
 dns-server 192.168.2.5
ip dhcp pool sales
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
license udi pid CISCO2911/K9 sn FTX1524Y3UL
!
ip domain-name nwgs.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 ip address 50.73.7.209 255.255.255.252
 ip access-group vlans out
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.7
 encapsulation dot1Q 7
 ip address 192.168.7.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 100
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
 network 192.168.5.0
 network 192.168.6.0
 network 192.168.7.0
 network 50.0.0.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.3.0 0.0.0.255 any
 permit ip 192.168.4.0 0.0.0.255 any
 permit ip 192.168.5.0 0.0.0.255 any
 permit ip 192.168.6.0 0.0.0.255 any
 permit ip 192.168.7.0 0.0.0.255 any
 permit ip any any
ip access-list extended vlans
 permit ip host 192.168.2.16 host 192.168.8.6
 permit ip host 192.168.3.16 host 192.168.8.6
 permit ip host 192.168.4.16 host 192.168.8.6
 permit ip host 192.168.5.16 host 192.168.8.6
 permit ip host 192.168.6.16 host 192.168.8.6
 permit ip host 192.168.7.16 host 192.168.8.6
 deny ip 192.168.2.0 0.0.0.255 any
 deny ip 192.168.3.0 0.0.0.255 any
 deny ip 192.168.4.0 0.0.0.255 any
 deny ip 192.168.5.0 0.0.0.255 any
 deny ip 192.168.6.0 0.0.0.255 any
 deny ip 192.168.7.0 0.0.0.255 any
 permit ip any any
!
no cdp run
!
line con 0
 password 7 082949420516
 login
!
line aux 0
 password 7 082949420516
 login
!
line vty 0 4
 password 7 082949420516
 login local
!
end



Thank you

Respectfully
J.Pineiro
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cyclops3590Sr Software Engineer

Commented:
is there a reason you're doing nat at all?  or just an academic exercise.  You're ACL will technically work but not in the way you're expecting.  It'll permit everything.  This is because of order of operation.  NAT is done prior to ACL evaluation,  so you're source won't be the other other vlans but the g0/0 interface IP everything is NAT'ed to.  In this case, you'll need to apply an ACL to each inbound.  This is preferred, at least in my opinion, anyway as extended ACLs should always be as close to source as possible (standard as close to destination).

Cisco URL for order of operations: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

Author

Commented:
I'm just practicing everything DHCP, vlans, ACL. So are you saying that I should create one ACL standard for each sub interface each pointing out to interface G0/0out
Cyclops3590Sr Software Engineer

Commented:
No. You can only apply a single acl per interface per direction. Well per ip version as well. But that depends on platform and if ACLs can be v4 and v6 at the same time.

You need to create an acl per g0/1.X interface for the inbound direction. That is the only way you will be able to control traffic using the non-translated IP going out the g0/0 interface.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I see...

I want to block  traffic of out network 192.168.2.0 , ie PC 192.168.2.16 and at the same time allow the rest of the network on 192.168.20  to be able to communicate with the outside. Here is my logic

ip access-list extended vlan2
permit ip host 192.168.2.0 0.0.0.255 any
deny ip  host 192.168.2.16 any
permit ip any any

I'm assuming there is something wrong, but not sure what or if it just the order.
Can you explain a little more please.

Respectfully
J.Pineiro

Author

Commented:
OK,

So I did the following

ip access-list extended VLAN
 permit ip host 192.168.2.18 any
 deny ip 192.168.2.0 0.0.0.255 any
 permit ip any any
remark .18 access any _ 2.0 deny any

and I placed it on the int g0/1.2 sub-interface in and it works correctly.

But when I place it on the int g0/0 out it doesn't work .

Any ideas as to why ?

Respectfully
J.Pineiro
Cyclops3590Sr Software Engineer

Commented:
Order of operations. The nat is done before the acl filtering is done. So by the time the packet reaches the acl operation the source ip no longer matches the acl entry you intend it to hit for the deny.

Author

Commented:
I understand what you are saying I just can't see it in my mind...

So are you saying to change the order? If so how ACL then NAT???

How about this...?

How would I go about making it work the was I described it?

Respectfully
J.Pineiro
Sr Software Engineer
Commented:
You can't change the order of operations. That is baked into the ios.

You need to apply ACLs on the inbound interface for them to use the acl you want. Or. You get rid of nat and keep it on outbound.

There is other trickery you could do which would effectively result in blackholing the traffic you want to deny but it's way messier than the above two solutions.

Author

Commented:
OK,

I see what you mean.
More then one way to skin a cat, but way messier.

I see I need more time in understanding NAT, ACL and there operations.

Thank you very much for all of your help and explanations.

Respectfully
J.Pineiro
Cyclops3590Sr Software Engineer

Commented:
No problem. I'd bookmark the link I gave you though. Most network devices do the same order of operations. You just have to remember every packet goes thru that order.  Well. Mostly every packet but for your purposes for now act like every packet does.

When the packet comes in it hits every operation. At the routing stage the out interface is chosen. That is why the out acl can't be evaluated until after nat. Nat is done before rout my decision because you can have it where the destination address is modified and in turn can change the interface it routes out.

Author

Commented:
Understood,

Yes I kept the link it has very useful information.

Again,
Thank you for all of your help, I have been at this for 3 months straight and just when I thought I had it down....NOT
Oh well I'll just keep chipping away at it.

Respectfully
J.Pineiro

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial