As shown in Figure 1-1, the router functions as the enterprise egress. The firewall function is configured on the router to control host access from the Internet to the internal server of the enterprise. The NAT function is configured on the router to translate the IP address of the internal server to the public address 18.104.22.168.
Figure 1-1 ACL-based access control
The related configuration file is as follows:
nat static protocol tcp global ip 22.214.171.124 inside ip 10.26.103.70 //Configure the one-to-one mapping from the private address 10.26.103.70 to public address 126.96.36.199
acl number 3000 //Configure a rule to forbid the PC using the address 188.8.131.52 to send IP packets to 184.108.40.206.
ip address 220.127.116.11 255.255.255.224
packet-filter 3000 inbound //Perform packet filtering in the inbound direction.
However, the ACL rule does not take effect, and the PC can still access the internal server.
The invalid ACL policy is caused by improper firewall configuration or ACL configuration.
1. Check whether the firewall function is enabled.
The firewall enable command exists in the configuration file. Run the display firewall zone command to view the configuration of the specified security zone. The command output shows that the firewall function is enabled; therefore, invalid ACL rule is not caused by the firewall configuration.
2. Check whether the ACL rule is correct.
Check the ACL rule. The configuration file of the router shows that the ACL rule forbids the PC to send IP packets to the public IP address 18.104.22.168. However, the NAT function configured on the router to translate the public address to the internal address 10.26.103.70. Therefore, the rule must be configured to forbid the PC to send IP packets to the IP address 10.26.103.70. Modify the ACL rule as follows:
acl number 3000
rule 1 deny ip source 22.214.171.124 0 destination 10.26.103.70 0
rule 2 permit ip
After the modification, the PC cannot access the internal server.
Therefore, the firewall packet filtering function does not take effect because the ACL rule is incorrectly configured.
After NAT and the firewall are configured on the AR, the NAT function for incoming packets takes effect before the firewall function. The private address of the internal server that is translated by NAT must be specified as the destination address in the ACL rule. If the public address before the NAT (126.96.36.199) is used as the destination address, the ACL rule is invalid.
When the firewall and NAT functions are configured on the AR simultaneously, pay attention to the sequence in which the functions take effect:
In the inbound direction: The NAT function takes effect first.
In the outbound direction: The firewall function takes effect first.