Courseiva
ACLCCNA 200-301

ACL and NAT Order Causing Traffic to Not Be Translated

Presenting Symptom

Internal hosts cannot reach the internet; NAT translations are not being created for traffic that should be translated.

Network Context

A small branch office with a Cisco 4321 router running IOS XE 16.9 connects internal users (192.168.1.0/24) to the internet via a single public IP (203.0.113.1). An extended ACL is applied to the inside interface to permit traffic for NAT, but the ACL is also applied inbound on the outside interface for security, causing the NAT order issue.

Diagnostic Steps

1

Check NAT translations

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                  ---                ---                ---

If no translations appear when internal hosts try to reach the internet, NAT is not being triggered. This indicates a problem with the NAT configuration or traffic matching.

2

Verify NAT configuration

show running-config | include ip nat
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

Check that the NAT rule references the correct ACL and interface. If the ACL is missing or incorrect, NAT will not work.

3

Check ACL applied to interfaces

show ip interface GigabitEthernet0/0/1 | include access list
Inbound  access list is 100
Outbound access list is not set

If an ACL is applied inbound on the outside interface, it may be blocking traffic before NAT processes it. ACLs are processed before NAT on inbound traffic.

4

Examine the ACL applied to the outside interface

show access-list 100
Extended IP access list 100
    10 deny ip any 192.168.1.0 0.0.0.255
    20 permit ip any any

If the ACL denies traffic from internal source IPs (e.g., 192.168.1.0/24), that traffic will be dropped before NAT can translate it. This is the root cause.

Root Cause

An extended ACL (access-list 100) is applied inbound on the outside interface (GigabitEthernet0/0/1) that denies traffic from the internal subnet (192.168.1.0/24). Since ACLs are processed before NAT on inbound traffic, the deny entry prevents the traffic from being NAT-translated, causing internal hosts to be unable to reach the internet.

Resolution

Remove the ACL from the outside interface or modify it to permit the internal traffic. To fix, either: - Remove the ACL: `no ip access-group 100 in` on interface GigabitEthernet0/0/1 - Or modify ACL 100 to permit internal traffic: `ip access-list extended 100` then `no 10` and `10 permit ip 192.168.1.0 0.0.0.255 any`

Verification

Run `show ip nat translations` after internal hosts generate traffic. Expected output should show translations, e.g.: Pro Inside global Inside local Outside local Outside global icmp 203.0.113.1:5 192.168.1.10:5 8.8.8.8:5 8.8.8.8:5 Also verify connectivity with `ping 8.8.8.8` from an internal host.

Prevention

1. Avoid applying ACLs on the outside interface that filter internal source IPs; use ACLs on the inside interface instead. 2. Remember the order of operations: inbound ACL is processed before NAT. 3. Use NAT-specific ACLs only for defining interesting traffic, not for security filtering on external interfaces.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of the order of operations for NAT and ACLs. Questions may present a troubleshooting scenario where NAT is not working and ask to identify the cause (e.g., ACL blocking traffic before NAT). The key fact is that inbound ACLs on the outside interface are evaluated before NAT translation.

Exam Tips

1.

Remember: On inbound traffic, ACLs are processed before NAT. So an ACL denying internal source IPs will prevent NAT.

2.

When troubleshooting NAT, always check `show ip nat translations` first, then verify the NAT configuration and any ACLs on interfaces.

3.

Know that the `ip nat inside source list` command uses the ACL to identify traffic to be translated; the ACL should permit the internal networks.

Commands Used in This Scenario

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions