Dynamic NAT with Pool + local range - HELP

Discussion in 'Routing & Switching' started by albertc30, Nov 15, 2009.

  1. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    Hello everybody. Me again.
    First of all thanks to everybody on the help previously given on my previous post, Static NAT is covered and no longer an issue.
    Now, I am going over Dynamic NAT with an inside local IP range and a local global IP range with overload.
    I was under the impression that by using an ACL to specify the inside local IP range would allow me to block certain networks from being translated and going out side but unless I have done something wrong, they are going outside.

    I have 3 VLANs.

    VLAN10 - Admin - net ID 192.168.28.0/29 - allow NAT to translate
    VLAN20 - It - net ID 192.168.28.8/29 - allow NAT to translate
    VLAN30 - Sales - net ID 192.168.28.16/29 - do not translate

    In my ACL for my local inside range I had;
    permit 192.168.28.0 0.0.0.7
    permit 192.168.28.8 0.0.0.7
    deny any

    I also had;
    permit 192.168.28.0 0.0.0.15
    deny any

    and
    permit host 192.168.28.1
    permit host 192.168.28.2
    permit host 192.168.28.3
    permit host 192.168.28.4
    permit host 192.168.28.5
    permit host 192.168.28.6
    permit host 192.168.28.9
    permit host 192.168.28.10
    permit host 192.168.28.11
    permit host 192.168.28.12
    permit host 192.168.28.13
    permit host 192.168.28.14
    deny any

    and not even like this I'm managing to have the one VLAN Sales blocked from going out to the internet.
    Would the ACL for the inside local IP range do the job?

    Here's my conf;

    *******************************************

    Router#sh run
    Building configuration...

    Current configuration : 1494 bytes
    !
    version 12.2
    no service password-encryption
    !
    hostname Router
    !
    ip ssh version 1
    !
    interface FastEthernet0/0
    no ip address
    ip nat inside
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 192.168.28.6 255.255.255.248
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 192.168.28.14 255.255.255.248
    !
    interface FastEthernet0/0.3
    encapsulation dot1Q 30
    ip address 192.168.28.22 255.255.255.248
    !
    interface FastEthernet9/0
    ip address 75.0.0.1 255.255.255.252
    ip nat outside
    duplex auto
    speed auto
    !
    ip nat pool pool-net 75.0.0.5 75.0.0.6 netmask 255.255.255.252
    ip nat inside source list 10 pool pool-net overload
    ip classless
    !
    !
    access-list 10 permit host 192.168.28.1
    access-list 10 permit host 192.168.28.2
    access-list 10 permit host 192.168.28.3
    access-list 10 permit host 192.168.28.4
    access-list 10 permit host 192.168.28.5
    access-list 10 permit host 192.168.28.6
    access-list 10 permit host 192.168.28.10
    access-list 10 permit host 192.168.28.11
    access-list 10 permit host 192.168.28.12
    access-list 10 permit host 192.168.28.13
    access-list 10 permit host 192.168.28.14
    !
    ip dhcp pool Admin
    network 192.168.28.0 255.255.255.248
    default-router 192.168.28.6
    ip dhcp pool It
    network 192.168.28.8 255.255.255.248
    default-router 192.168.28.14
    ip dhcp pool Sales
    network 192.168.28.16 255.255.255.248
    default-router 192.168.28.22
    !
    line con 0
    line vty 0 4
    login
    !
    end

    Router#

    *********************************************

    and to make me even more curious, when I type #sh ip nat trans I do not see the IP's I want to block there as translated, here's the output;

    Router#sh ip nat tra
    Pro Inside global Inside local Outside local Outside global
    tcp 75.0.0.5:1038 192.168.28.1:1038 75.0.0.2:80 75.0.0.2:80
    tcp 75.0.0.5:1032 192.168.28.10:1032 75.0.0.2:80 75.0.0.2:80
    tcp 75.0.0.5:1030 192.168.28.11:1030 75.0.0.2:80 75.0.0.2:80
    tcp 75.0.0.5:1046 192.168.28.2:1046 75.0.0.2:80 75.0.0.2:80
    tcp 75.0.0.5:1034 192.168.28.3:1034 75.0.0.2:80 75.0.0.2:80

    Router#

    ****************************************************

    Any help is well appreciated.
    Cheers,
     

    Attached Files:

    Certifications: CCNA
    WIP: 220-701 - A+
  2. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    You're not blocking them from going out... you're blocking them from being translated.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    BosonMichael, you're the man dude.
    I guess it does make sense.
    I don’t know why but I was under the impression that the ACL for the pool would have been enough.
    Thanks for your fast reply mate.
    Cheers
     
    Certifications: CCNA
    WIP: 220-701 - A+
  4. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    BosonMichael;
    This has been amazing refreshment for my memory.
    I have done this;
    *****************************************
    Router#sh run
    Building configuration...

    Current configuration : 1202 bytes
    !
    version 12.2
    no service password-encryption
    !
    hostname Router
    !
    ip ssh version 1
    !
    interface FastEthernet0/0
    no ip address
    ip access-group 100 in
    ip nat inside
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.1
    encapsulation dot1Q 10
    ip address 192.168.28.6 255.255.255.248
    !
    interface FastEthernet0/0.2
    encapsulation dot1Q 20
    ip address 192.168.28.14 255.255.255.248
    !
    interface FastEthernet0/0.3
    encapsulation dot1Q 30
    ip address 192.168.28.22 255.255.255.248
    ip access-group 100 in
    !
    interface FastEthernet9/0
    ip address 75.0.0.1 255.255.255.252
    ip access-group 5 out
    ip nat outside
    duplex auto
    speed auto
    !
    ip nat pool pool-net 75.0.0.5 75.0.0.6 netmask 255.255.255.252
    ip nat inside source list 10 pool pool-net overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet9/0
    !
    access-list 10 permit 192.168.28.0 0.0.0.15
    access-list 5 permit 75.0.0.4 0.0.0.3
    !
    ip dhcp pool Admin
    network 192.168.28.0 255.255.255.248
    default-router 192.168.28.6
    ip dhcp pool It
    network 192.168.28.8 255.255.255.248
    default-router 192.168.28.14
    ip dhcp pool Sales
    network 192.168.28.16 255.255.255.248
    default-router 192.168.28.22
    !
    line con 0
    line vty 0 4
    login
    !
    end

    Router#
    ******************************************
    I had quite a few problems here and there with creating the ACL.
    First, I had done a standard ACL allowing 192.168.28.0/28 (the first two networks on the /29) out of the router and blocking everything else, but they'd all go out nevertheless and could access the WWW server, and then it hit me, the traffic going out has gone through NAT and it has been translated to an IP within the NAT pool from 75.0.0.5 to 75.0.0.6 so, done the ACL again only allowing out that traffic and it now works, traffic from networks 192.168.28.0 and 192.168.28.8 goes out and see the WWW server and traffic from network 192.168.28.16 does not get through.

    I was under the impression that the ACL statement for the NAT pool of addresses to be translated was enough to block traffic not translated. So its fare to say that an ACL will only allow and or block traffic when applied to an interface.

    Another thing was I experienced was that whenever I’d apply an ACL to router’s Fa0/0, which has sub interfaces .1, .2, and .3, the ACL would not stay on the Fa0/0.

    Please comment on this mate.
    Cheers,
     
    Certifications: CCNA
    WIP: 220-701 - A+
  5. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    So what happens when you apply the ACL to the subinterface?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. albertc30

    albertc30 Kilobyte Poster

    423
    1
    37
    If applied properly, it does what it should do.
     
    Certifications: CCNA
    WIP: 220-701 - A+
  7. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    That's probably why you can't apply it to the interface - traffic no longer logically flows through the interface; it uses a subinterface.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.