Access-List with NAT
Switch1
Member Posts: 37 ■■□□□□□□□□
in CCNA & CCENT
During my study I've run into a NAT lab with the following configuration,
RouterA(config)#int l0
RouterA(config)#ip address 10.1.1.1 255.255.255.0
RouterA(config-if)#ip nat inside
RouterA(config)#int l1
RouterB(config)#ip address 10.2.2.2 255.255.255.0
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial 0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#exit
RouterA(config)#ip nat pool techexams 172.16.1.1 172.16.1.10 netmask 255.255.255.0
RouterA(config)#ip nat inside source list 1 techexams
RouterA(config)#access-list 1 permit 10.1.1.0 0.0.0.255
RouterA(config)#access-list 1 permit 10.2.1.0 0.0.0.255
RouterA(config)#
The lab then gets you to perform a debug ip nat to view pings from RouterA's Loopback 1 and 2, to Router B. (Router B has a static route back to Router A).
The results of the lab are given as follows,
Ping 10.1.1.1 to 192.168.1.2
Typee scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.1.1.1->172.16.1.1,d=192.168.1.2[26]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL
Ping 10.2.2.2 to 192.168.1.2
Typee scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.2.2.2->172.16.1.1,d=192.168.1.2[31]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL, BUT WHY?
The access list access-list 1 permit 10.2.1.0 0.0.0.255 is saying, permit addresses with the first 24 matching bits, yet this ping is stated as successful in the book. Am I missing something blatantly obvious here or is this a publishing error and it is meant to say access-list 1 permit 10.2.2.0 0.0.0.255?
A ping from 10.2.2.2 should not be permitted in the ACL, and filtered out by the implicit deny all.
Regards
RouterA(config)#int l0
RouterA(config)#ip address 10.1.1.1 255.255.255.0
RouterA(config-if)#ip nat inside
RouterA(config)#int l1
RouterB(config)#ip address 10.2.2.2 255.255.255.0
RouterA(config-if)#ip nat inside
RouterA(config-if)#int Serial 0/1/0
RouterA(config-if)#ip nat outside
RouterA(config-if)#exit
RouterA(config)#ip nat pool techexams 172.16.1.1 172.16.1.10 netmask 255.255.255.0
RouterA(config)#ip nat inside source list 1 techexams
RouterA(config)#access-list 1 permit 10.1.1.0 0.0.0.255
RouterA(config)#access-list 1 permit 10.2.1.0 0.0.0.255
RouterA(config)#
The lab then gets you to perform a debug ip nat to view pings from RouterA's Loopback 1 and 2, to Router B. (Router B has a static route back to Router A).
The results of the lab are given as follows,
Ping 10.1.1.1 to 192.168.1.2
Typee scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.1.1.1->172.16.1.1,d=192.168.1.2[26]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL
Ping 10.2.2.2 to 192.168.1.2
Typee scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.2.2.2->172.16.1.1,d=192.168.1.2[31]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL, BUT WHY?
The access list access-list 1 permit 10.2.1.0 0.0.0.255 is saying, permit addresses with the first 24 matching bits, yet this ping is stated as successful in the book. Am I missing something blatantly obvious here or is this a publishing error and it is meant to say access-list 1 permit 10.2.2.0 0.0.0.255?
A ping from 10.2.2.2 should not be permitted in the ACL, and filtered out by the implicit deny all.
Regards
Currently Reading :study:
100-101 ICND1 Official Cert Guide
CCNA in 60 Days
CCENT Study Guide Exam 100-101
OSPF: Anatomy of an Internet Routing Protocol
CCNA in 60 Days
CCENT Study Guide Exam 100-101
OSPF: Anatomy of an Internet Routing Protocol
Comments
-
Heero
Member Posts: 486
Would you mind posting the actual config rather than just some of the commands you entered? -
Hondabuff
Member Posts: 667 ■■■□□□□□□□
Packet sent with a source address of 10.1.1.1
covered by ACL access-list 1 permit 10.1.1.0 0.0.0.255
Ping 10.2.2.2 to 192.168.1.2
Type scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.2.2.2->172.16.1.1,d=192.168.1.2[31]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL, BUT WHY?
Here is how you do it. RouterA#ping 192.168.1.2 source 10.1.1.1
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
Switch1
Member Posts: 37 ■■□□□□□□□□
Would you mind posting the actual config rather than just some of the commands you entered?
It was a default configuration, there is no need for the configuration to answer the question I asked.Packet sent with a source address of 10.1.1.1
covered by ACL access-list 1 permit 10.1.1.0 0.0.0.255
Ping 10.2.2.2 to 192.168.1.2
Type scape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
NAT:s=10.2.2.2->172.16.1.1,d=192.168.1.2[31]!
<!--omitted for brevity--!>
Conclusion: SUCCESSFUL, BUT WHY?
Here is how you do it. RouterA#ping 192.168.1.2 source 10.1.1.1
Aha! Very nice eyes, thanks for that
. Currently Reading :study:
100-101 ICND1 Official Cert Guide
CCNA in 60 Days
CCENT Study Guide Exam 100-101
OSPF: Anatomy of an Internet Routing Protocol