ACL not working

So I created an ACL and I put in on int g0/0 out

Not sure if the config is correct..

R0NWGS#sh run
Building configuration...

Current configuration : 3610 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname R0NWGS
!
enable secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
ip dhcp excluded-address 192.168.2.1 192.168.2.15
ip dhcp excluded-address 192.168.3.1 192.168.3.15
ip dhcp excluded-address 192.168.4.1 192.168.4.15
ip dhcp excluded-address 192.168.6.1 192.168.6.15
ip dhcp excluded-address 192.168.7.1 192.168.7.15
ip dhcp excluded-address 192.168.5.1 192.168.5.15
!
ip dhcp pool hr
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 dns-server 192.168.2.5
ip dhcp pool acc
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1
 dns-server 192.168.2.5
ip dhcp pool market
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 192.168.2.5
ip dhcp pool SHIP
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.1
 dns-server 192.168.2.5
ip dhcp pool network
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.1
 dns-server 192.168.2.5
ip dhcp pool sales
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 192.168.2.5
!
ip cef
no ipv6 cef
!
username admin privilege 15 secret 5 $1$mERr$y/Ce7lzaUL0HOujQUgwuB/
!
license udi pid CISCO2911/K9 sn FTX1524Y3UL
!
ip domain-name nwgs.local
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
 ip address 50.73.7.209 255.255.255.252
 ip access-group vlans out
 ip nat outside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.5
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1.7
 encapsulation dot1Q 7
 ip address 192.168.7.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 100
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
 network 192.168.5.0
 network 192.168.6.0
 network 192.168.7.0
 network 50.0.0.0
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip classless
!
ip flow-export version 9
!
ip access-list extended NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.3.0 0.0.0.255 any
 permit ip 192.168.4.0 0.0.0.255 any
 permit ip 192.168.5.0 0.0.0.255 any
 permit ip 192.168.6.0 0.0.0.255 any
 permit ip 192.168.7.0 0.0.0.255 any
 permit ip any any
ip access-list extended vlans
 permit ip host 192.168.2.16 host 192.168.8.6
 permit ip host 192.168.3.16 host 192.168.8.6
 permit ip host 192.168.4.16 host 192.168.8.6
 permit ip host 192.168.5.16 host 192.168.8.6
 permit ip host 192.168.6.16 host 192.168.8.6
 permit ip host 192.168.7.16 host 192.168.8.6
 deny ip 192.168.2.0 0.0.0.255 any
 deny ip 192.168.3.0 0.0.0.255 any
 deny ip 192.168.4.0 0.0.0.255 any
 deny ip 192.168.5.0 0.0.0.255 any
 deny ip 192.168.6.0 0.0.0.255 any
 deny ip 192.168.7.0 0.0.0.255 any
 permit ip any any
!
no cdp run
!
line con 0
 password 7 082949420516
 login
!
line aux 0
 password 7 082949420516
 login
!
line vty 0 4
 password 7 082949420516
 login local
!
end



Thank you

Respectfully
J.Pineiro
Juan PineiroAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
is there a reason you're doing nat at all?  or just an academic exercise.  You're ACL will technically work but not in the way you're expecting.  It'll permit everything.  This is because of order of operation.  NAT is done prior to ACL evaluation,  so you're source won't be the other other vlans but the g0/0 interface IP everything is NAT'ed to.  In this case, you'll need to apply an ACL to each inbound.  This is preferred, at least in my opinion, anyway as extended ACLs should always be as close to source as possible (standard as close to destination).

Cisco URL for order of operations: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
0
Juan PineiroAuthor Commented:
I'm just practicing everything DHCP, vlans, ACL. So are you saying that I should create one ACL standard for each sub interface each pointing out to interface G0/0out
0
Cyclops3590Commented:
No. You can only apply a single acl per interface per direction. Well per ip version as well. But that depends on platform and if ACLs can be v4 and v6 at the same time.

You need to create an acl per g0/1.X interface for the inbound direction. That is the only way you will be able to control traffic using the non-translated IP going out the g0/0 interface.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Juan PineiroAuthor Commented:
I see...

I want to block  traffic of out network 192.168.2.0 , ie PC 192.168.2.16 and at the same time allow the rest of the network on 192.168.20  to be able to communicate with the outside. Here is my logic

ip access-list extended vlan2
permit ip host 192.168.2.0 0.0.0.255 any
deny ip  host 192.168.2.16 any
permit ip any any

I'm assuming there is something wrong, but not sure what or if it just the order.
Can you explain a little more please.

Respectfully
J.Pineiro
0
Juan PineiroAuthor Commented:
OK,

So I did the following

ip access-list extended VLAN
 permit ip host 192.168.2.18 any
 deny ip 192.168.2.0 0.0.0.255 any
 permit ip any any
remark .18 access any _ 2.0 deny any

and I placed it on the int g0/1.2 sub-interface in and it works correctly.

But when I place it on the int g0/0 out it doesn't work .

Any ideas as to why ?

Respectfully
J.Pineiro
0
Cyclops3590Commented:
Order of operations. The nat is done before the acl filtering is done. So by the time the packet reaches the acl operation the source ip no longer matches the acl entry you intend it to hit for the deny.
0
Juan PineiroAuthor Commented:
I understand what you are saying I just can't see it in my mind...

So are you saying to change the order? If so how ACL then NAT???

How about this...?

How would I go about making it work the was I described it?

Respectfully
J.Pineiro
0
Cyclops3590Commented:
You can't change the order of operations. That is baked into the ios.

You need to apply ACLs on the inbound interface for them to use the acl you want. Or. You get rid of nat and keep it on outbound.

There is other trickery you could do which would effectively result in blackholing the traffic you want to deny but it's way messier than the above two solutions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Juan PineiroAuthor Commented:
OK,

I see what you mean.
More then one way to skin a cat, but way messier.

I see I need more time in understanding NAT, ACL and there operations.

Thank you very much for all of your help and explanations.

Respectfully
J.Pineiro
0
Cyclops3590Commented:
No problem. I'd bookmark the link I gave you though. Most network devices do the same order of operations. You just have to remember every packet goes thru that order.  Well. Mostly every packet but for your purposes for now act like every packet does.

When the packet comes in it hits every operation. At the routing stage the out interface is chosen. That is why the out acl can't be evaluated until after nat. Nat is done before rout my decision because you can have it where the destination address is modified and in turn can change the interface it routes out.
0
Juan PineiroAuthor Commented:
Understood,

Yes I kept the link it has very useful information.

Again,
Thank you for all of your help, I have been at this for 3 months straight and just when I thought I had it down....NOT
Oh well I'll just keep chipping away at it.

Respectfully
J.Pineiro
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.