Nat ACL question

HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
Would anyone know why I am getting this error? Its my external IP hitting my NAT acl and my understanding was that it only checked internal hosts trying to reach outside the network.

%SEC-6-IPACCESSLOGNP: list IP_NAT_ALLOW denied 0 68.x.x.177 -> 0.0.0.0, 675 packets

Comments

  • scheistermeisterscheistermeister Member Posts: 748 ■□□□□□□□□□
    Two things come to mind when I see that, one is I am curious how you have it cab;ed and two do you have the NAT inside and outside interfaces defined correctly?
    Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
  • HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
    Interface vlan100
    ip nat inside

    Interface Fa4
    ip nat outside


    ip nat inside source list IP_NAT_ALLOW interface FastEthernet4 overload


    ip access-list standard IP_NAT_ALLOW
    permit 172.16.0.0 0.0.255.255
    deny any log


    Obviously I could get rid of this by not logging the deny entry, but I'm more interested in whats happening.

    Everything appears to be working fine.

    *edit*
    Its an 861w fa4 is cabled directly to the cable modem.
  • kryollakryolla Member Posts: 785
    Your NAT config looks right but does that log entry have anything to do with your default route.
    Studying for CCIE and drinking Home Brew
  • HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
    I originally had my default route configured like this

    route 0.0.0.0 0.0.0.0 fa4

    It was working, but your comment got me thinking, so I changed it to

    route 0.0.0.0 0.0.0.0 dhcp

    This is working as well, but I am still receiving the notification.
  • mamonomamono Member Posts: 776 ■■□□□□□□□□
    VLAN access are controlled by switches. Since this is an integrated router, shouldn't switch ports be assigned to VLAN100?
  • bighornsheepbighornsheep Member Posts: 1,506
    What's your public IP address? Not sure if the error is showing the translated address or inside local but if I am reading the error correctly:
    %SEC-6-IPACCESSLOGNP: list IP_NAT_ALLOW denied 0 68.x.x.177 -> 0.0.0.0

    It looks like you have a 68.x.x.177 IP address coming in to Vlan100 trying to make an outside connection. Since your NAT ACL specifies only to allow 172.16.0.0 /16, the 68.x.x.177 requests gets dropped.
    Jack of all trades, master of none
  • HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
    mamono

    Interfaces FA 0-3 are assigned vlan100 and FA 4 is factory reserved for wan access.

    bighornsheep

    the 68.x address is my external DHCP assigned IP address. I agree, it would seem that the external IP is trying to loop back out for some reason.
  • kryollakryolla Member Posts: 785
    how is your bridging set up
    Studying for CCIE and drinking Home Brew
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Have you tried debugging to see the traffic?
    An expert is a man who has made all the mistakes which can be made.
  • HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
    Might as well post the config.

    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname 861W
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 51200 warnings

    !
    no aaa new-model
    clock timezone MDT -7
    !
    crypto pki trustpoint TP-self-signed-1806584599
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1806584599
    revocation-check none
    rsakeypair TP-self-signed-1806584599
    !
    !
    crypto pki certificate chain TP-self-signed-1806584599
    certificate self-signed 01


    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.1.1
    ip dhcp excluded-address 172.16.1.254
    ip dhcp excluded-address 172.16.1.190
    ip dhcp excluded-address 172.16.16.1
    ip dhcp excluded-address 172.16.16.2
    ip dhcp excluded-address 172.16.1.2 172.16.1.50
    !
    ip dhcp pool wireless
    network 172.16.16.0 255.255.255.0
    domain-name HS.LOCAL
    default-router 172.16.16.1
    dns-server 208.67.222.222 208.67.220.220
    !
    ip dhcp pool HS-HOME
    network 172.16.1.0 255.255.255.0
    default-router 172.16.1.1
    dns-server 4.2.2.2 4.2.2.3
    domain-name HS.LOCAL
    lease 6
    !
    !
    ip cef
    no ip domain lookup
    ip domain name HS.LOCAL
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    vlan 100
    name home
    !
    !
    !
    !
    interface FastEthernet0
    switchport access vlan 100
    !
    interface FastEthernet1
    switchport access vlan 100
    !
    interface FastEthernet2
    switchport access vlan 100
    !
    interface FastEthernet3
    switchport access vlan 100
    !
    interface FastEthernet4
    description $ETH-WAN$
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    ip address 192.168.199.1 255.255.255.0
    arp timeout 0
    !
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    switchport mode trunk
    !
    interface Vlan1
    ip address 172.16.16.1 255.255.255.0
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Vlan100
    ip address 172.16.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list IP_NAT_ALLOW interface FastEthernet4 overload
    !
    ip access-list standard IP_NAT_ALLOW
    permit 172.16.0.0 0.0.255.255
    deny any log
    !
    access-list 23 permit 172.16.1.0 0.0.0.255 log
    !
    control-plane
    !
    !
    line con 0
    logging synchronous
    login local
    no modem enable
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    line vty 0 4
    access-class 23 in
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end
  • bighornsheepbighornsheep Member Posts: 1,506
    I just tried this quickly on a 1710, I don't think you need the ip route 0.0.0.0 0.0.0.0 statement.

    ip address dhcp statement for Fa0/4 will inject default route from dhcp message. That might explain why your requests are looping.

    Give it a try.
    Jack of all trades, master of none
  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    I did this in a lab. F0/0 is the WAN-side, receiving a DHCP (ip nat outside) and F0/1 is LAN-side (ip nat inside).

    R1#conf t
    R1(conf)#ip access-list log-update threshold 1
    exit
    R1#ping 1.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 44/75/112 ms
    R1#
    *Mar 1 00:23:01.111: %SEC-6-IPACCESSLOGNP: list 1 denied 0 72.72.72.10 -> 0.0.0
    .0, 1 packet
    *Mar 1 00:23:01.223: %SEC-6-IPACCESSLOGNP: list 1 denied 0 72.72.72.10 -> 0.0.0
    .0, 1 packet
    *Mar 1 00:23:01.295: %SEC-6-IPACCESSLOGNP: list 1 denied 0 72.72.72.10 -> 0.0.0
    .0, 1 packet
    *Mar 1 00:23:01.367: %SEC-6-IPACCESSLOGNP: list 1 denied 0 72.72.72.10 -> 0.0.0
    .0, 1 packet
    *Mar 1 00:23:01.411: %SEC-6-IPACCESSLOGNP: list 1 denied 0 72.72.72.10 -> 0.0.0
    .0, 1 packet
    R1#conf t
    R1(conf)#ip access-list standard 1
    R1(conf-std-nacl)#5 deny 72.72.72.0 0.0.0.255
    R1(conf-std-nacl)#end
    R1#ping 1.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/30/72 ms
    R1#R1#sh ip access-lists
    Standard IP access list 1
    5 deny 72.72.72.0, wildcard bits 0.0.0.255 (5 matches)
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (2 matches)
    20 deny any log (15 matches)

    Weird, though, that denying that before the permit gets rid of the error...

    Learn something new everyday.
    policy-map type inspect TACO
    class type inspect BELL
    drop log
  • HighspadeHighspade Member Posts: 29 ■□□□□□□□□□
    Correct me if I'm wrong, but the reason you don't see the error is because you're not logging
    line 5.

    Since this can be reproduced, is this external IP triggering the NAT ACL normal behavior?

    What is the industry practice for setting these outbound NAT ACL's?
  • kryollakryolla Member Posts: 785
    I have 851w with my NAT acl deny statement without the log entry. I deleted the ACL and try to add the log entry and it gave me a warning message the log feature is not supported. Then I found this on cisco website confirming it. This is only for NAT ACL


    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa40
    Studying for CCIE and drinking Home Brew
Sign In or Register to comment.