No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

On the AR2240, an ACL Fails to Be Configured for Data Flows for Which NAT Is Configured

Publication Date:  2019-04-16 Views:  22 Downloads:  0
Issue Description

At a site, both the source and destination IP addresses of data flows for accessing a server need to be translated. The scenario is described as follows:

Use the UDP packet sending tool on PC1 for tests. When PC1 accesses UDP port 53 on 2.2.2.2x, the destination address is translated into 200.200.200.200 and the source address into 100.100.100.100. In the current configuration, the test is successful. However, after ACL 3001 is configured to match the destination address 200.200.200.200, the test fails, and NAT for the source IP address does not take effect. After the ACL is configured to match the source address 1.1.1.2, NAT for the source IP address takes effect. On AR2, server mapping is configured on G0/0/1, and NAT is performed for the source IP address on G0/0/0.

The key configuration is as follows:

#

acl number 3001  
 rule 5 permit ip destination 200.200.200.0 0.0.0.255  
#

nat address-group 1 100.100.100.100 100.100.100.100
#

interface GigabitEthernet0/0/0

 ip address 3.3.3.1 255.255.255.0

nat outbound 3001 address-group 1 no-pat
 
#

interface GigabitEthernet0/0/1

 ip address 1.1.1.1 255.255.255.0 
 nat static protocol udp global 2.2.2.2 dns inside 200.200.200.200 dns netmask 255.255.255.255

After the configuration, the source address is not translated into 100.100.100.100.


Handling Process

After the check, no obvious configuration issue is found. NAT for the source IP address does not take effect because the specified source IP address fails to match the ACL. Confirm with the related module experts that, if IP addresses are translated on the AR, only the IP addresses before translation can match ACLs, regardless of whether NAT is performed for the source or destination IP address.

Adjust the ACL. The fault is rectified.

 #
acl number 3001  

 rule 5 permit ip source 1.1.1.0 0.0.0.255  

Root Cause

If IP addresses are translated on the AR, only the IP addresses before translation can match ACLs, regardless of whether NAT is performed for the source or destination IP address.

Solution

If NAT is performed on an AR, specify IP addresses before translation in ACLs, regardless of the source or destination IP address.

END