No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

After Some IP Addresses Are Configured Not to Be Implemented with NAT (NAT Exclusion) on the Outbound Interface of an NE20E-S, Matched Packets Fail to Be Forwarded

Publication Date:  2019-07-17 Views:  198 Downloads:  0

Issue Description

A customer wants to allow only some IP addresses to be implemented with NAT. However, after the following NAT configuration is performed, the IP addresses denied in the ACL cannot be used to communicate with the external network.

Handling Process

The NAT configuration is as follows with G 0/2/0 as the outbound interface:

acl number 3001
rule 5 deny ip source x.x.168.130 0
rule 10 deny ip source 192.168.0.2 0
rule 15 deny ip source 192.168.0.3 0
rule 20 deny ip source 10.1.7.201 0
rule 25 permit ip

interface GigabitEthernet0/2/0
description To_WAN
undo shutdown
ip address x.x.6.56 255.255.255.224
dcn
nat bind acl 3001 instance nat1

The entries are normal. The collected traffic statistics and packet header obtaining show that the packets with the source IP address of x.x.168.130 are not sent from G 0/2/0. Such packets can be sent from G 0/2/0 after the NAT policy is canceled.

Based on test results and documents, it is found that if NAT is configured on the outbound interface, denied packets are directly discarded. If NAT is configured on the inbound interface, NAT is not implemented (NAT exclusion). The test is normal after the following configuration is added:

acl 3001
rule 5 permit ip source x.x.168.130 0
rule 10 permit ip source 192.168.0.2 0
rule 15 permit ip source 192.168.0.3 0
rule 20 permit ip source 10.1.7.201 0
#
acl 3002
rule 5 permit ip destination x.x.x.x 0.0.0.x (x.x.x.x indicates the route with Gi 0/2/0 as the outbound interface.)
#
traffic classify NoNAT
  If match acl 3001
#
traffic classify NAT
  If match acl 3002
#
traffic behavior NoNAT
permit
#
traffic behavior NAT
  nat bind instance 3333
#
traffic policy NAT
Classify NoNAT behavior NoNAT
Classify NAT behavior NAT
#
Interface gi0/1/1  //Private network interface
traffic-policy NAT in
#

Root Cause

If NAT is configured on the outbound interface, denied packets are directly discarded. If NAT is configured on the inbound interface, NAT is not implemented (NAT exclusion).

Solution

Configure NAT on the inbound interface.

acl 3001
rule 5 permit ip source x.x.168.130 0
rule 10 permit ip source 192.168.0.2 0
rule 15 permit ip source 192.168.0.3 0
rule 20 permit ip source 10.1.7.201 0
#
acl 3002
rule 5 permit ip destination x.x.x.x 0.0.0.x (x.x.x.x indicates the route with Gi 0/2/0 as the outbound interface.)
#
traffic classify NoNAT
  If match acl 3001
#
traffic classify NAT
  If match acl 3002
#
traffic behavior NoNAT
permit
#
traffic behavior NAT
  nat bind instance 3333
#
traffic policy NAT
Classify NoNAT behavior NoNAT
Classify NAT behavior NAT
#
Interface gi0/1/1  //Private network interface
traffic-policy NAT in
#

END