I got into a situation that I can't figure out myself.
Let's assume we have a router with two interfaces with 10.10.10.0/24 network behind fa0/0:
fa0/0 - ip nat inside
fa0/1 - ip nat outside
We want to do a simple overloaded NAT:
ip nat inside source list NAT_ACL interface FastEthernet0/1 overload
Let's say I want to give a host 10.10.10.7 permission to ping the outside world and nothing more (ICMP only).
My first idea was to write a permit rule in the NAT_ACL:
permit icmp host 10.10.10.7 any
But it doesn't work and I don't udenrstand why. Can someone give me a clue on this?
permit ip host 10.10.10.7 any
works perfectly fine for both tcp/udp and icmp connections.
The NAT_ACL is a so called qualifying access list. It just tells the router what hosts are eligible for natting. You can't use it for filtering. Create another ACL for filtering and apply it to fa0/0 with (config-if)#access-group command.
Yes, I do understand this. But at the same time I can specify protocol/port and destination address in this qualifying access list. For example:
permit tcp host 10.10.10.7 188.8.131.52 eq 22
If they making this possible, why don't allow to select ICMP packets for NAT? This seems as a wrong design to me.
I simplified my configuration to work out this problem, but in fact I have three interfaces and multiple GRE tunnels to the partners networks that the host 10.10.10.7 needs to have access to.
In case of creating an incoming access list (ip accss-group acl-name in) on fa0/0 I'll have to explicitly specify all the (partners) networks that this host can access and ICMP to any.
Is there another workaround?