ACL not working with NAT

Question

I'm studying on Cisco packet tracking, I just found one strange thing. I attached the network map and configuration below.

1> I created NAT for 10.2.0.0/16 and 10.3.0.0/16 to access the server0.
2> Created ACL for 10.2.100.0 0.0.0.255 to not allow access server www
Created ACL for 10.3.100.0 0.0.0.255 to not allow access server ftp
Now the problem comes, the PC0 still can access the server www, same as PC2 can access FTP.
But if I remove the NAT, the ACL works.
I'm confused, the ACL should always work before NAT, it looks like the NAT bypassed the ACL with its outbound IP address without filtered. how does this happen???
!
interface FastEthernet0/0
 ip address 10.1.50.1 255.255.0.0
 ip access-group 110 out
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.2.1.1 255.255.0.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1.3
 encapsulation dot1Q 3
 ip address 10.3.1.1 255.255.0.0
 ip nat inside
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool internet 10.1.50.50 10.1.50.50 netmask 255.255.0.0
ip nat inside source list 2 pool internet overload
ip classless
!
ip flow-export version 9
!
!
access-list 2 permit 10.2.0.0 0.0.255.255
access-list 2 permit 10.3.0.0 0.0.255.255
access-list 110 deny tcp 10.2.100.0 0.0.0.255 host 10.1.1.1 eq www
access-list 110 deny tcp 10.3.100.0 0.0.0.255 host 10.1.1.1 eq ftp
access-list 110 permit ip any any
!
!
!

roid · Answer

The ACL 110 not apply because when the trafic is out of the FastEthernet0/0  the NAT had changed the source address. If you want block de traffic coming from PC0 to Web Server you should need move the ACL 110 to FastEthernet0/1 as IN ACL
interface FastEthernet0/1
 ip address 10.2.1.1 255.255.0.0
 ip access-group 110 in
 ip nat inside
 duplex auto
 speed auto

It is a good practice:

Place Standard ACL near destination network/host.
Place Extended ACL near source network/host.

ACL not working with NAT

One Answer

Add your own answers!

Ask a Question