No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

NAT Policy Failure Caused by Wrong Sequence of ACL Rules

Publication Date:  2019-07-04  |   Views:  215  |   Downloads:  0  |   Author:  SU1001732184  |   Document ID:  EKB0000358603


Issue Description

The customer intended to disable the hosts in the segment, with the hosts in the segment still being able to access the public network through NAT. After the customer performed the following operations, the hosts in the segment could still access the public network:
[NE20-Ethernet2/0/2]nat outbound 3000 add 0
[NE20-acl-adv-3000]dis thi
acl number 3000
rule 4 permit ip source
rule 5 deny ip source


Alarm Information


Handling Process

When multiple rules are configured under the same ACL, the rules are ranked in sequence. That is, in the same ACL, the packets should match the rules in ascending order.
In the preceding configuration, the data flow that the customer intended to disable matched:
rule 4 permit ip source
In this case, perform the NAT translation and then adjust the sequence of the two rules. 

Root Cause

1. Wrong configuration
2. ACL failure