No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NAT Policy Failure Caused by Wrong Sequence of ACL Rules

Publication Date:  2012-07-27 Views:  28 Downloads:  0
Issue Description
The customer intended to disable the hosts in the 10.10.1.0/24 segment, with the hosts in the 10.10.0.0/16 segment still being able to access the public network through NAT. After the customer performed the following operations, the hosts in the 10.10.1.0/24 segment could still access the public network:
[NE20-Ethernet2/0/2]nat outbound 3000 add 0
[NE20-acl-adv-3000]dis thi
#
acl number 3000
rule 4 permit ip source 10.10.0.0 0.0.255.255
rule 5 deny ip source 10.10.1.0 0.0.0.255

 
Alarm Information
Null
Handling Process
When multiple rules are configured under the same ACL, the rules are ranked in sequence. That is, in the same ACL, the packets should match the rules in ascending order.
In the preceding configuration, the data flow that the customer intended to disable matched:
rule 4 permit ip source 10.10.0.0 0.0.255.255
In this case, perform the NAT translation and then adjust the sequence of the two rules. 
 
Root Cause
1. Wrong configuration
2. ACL failure 

 
Suggestions
Null

END