9.7. Access Lists

NAT access lists provide more precise control over how the subscriber traffic is translated. They allow you to perform special actions on certain types of traffic using filters.

Filters can include:

• Protocol (UDP, TCP, ICMP, GRE, ESP),

• Source and destination IP addresses,

• Source and destination ports (for UDP and TCP),

• Message type and code (for ICMP).

Action types:

Permit (permit)

This is the default action - sessions are processed according to the action specified in the subscriber group.

Deny (deny)

Prohibits creation of new sessions. All traffic for the sessions will be dropped.

Passthrough (passthrough)

New sessions will be passed transparently, without translation of addresses and ports. At the same time, session state will be monitored as in the normal NAT mode.

Pool (pool)

Sessions will be translated using the pool specified in the action.

9.7.1. Configuration

Note

After configuration, an access list must be assigned to a subscriber-group as described in Assigning Access Lists.

Pay attention: after the creation of the access list, the rule deny any any will be added, and it will not be shown in the running configuration file. If you want to permit any traffic, you should explicitly set the rule permit any any.

The following commands are available to configure access lists:

ip dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M>

ipv6 dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M>

Create a filter by IP addresses. These commands are available for all protocols.

Key	Argument	Description
NAME		Specify access list name
SEQ	(1-536870911	Set sequence number
ACTION	<deny|passthrough|permit|pool>	Set the action
<any|udp|tcp|icmp|gre|esp>		Set the particular or any protocol
src-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set source address subnet
dst-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set destination address subnet

ip dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)

ipv6 dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)

Create a filter by IP addresses and ports. These commands are available only for the TCP and UDP protocols.

Key	Argument	Description
NAME		Specify access list name
SEQ	(1-536870911	Set sequence number
ACTION	<deny|passthrough|permit|pool>	Set the action
<udp|tcp>		Set the particular or any protocol
src-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set source address subnet
dst-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set destination address subnet
src-port	(0-65535) (0-65535)	Set the source port range start and end
dst-port	(0-65535) (0-65535)	Set the destination port range start and end

ip dp-access-list NAME SEQ ACTION icmp src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)

ipv6 dp-access-list NAME SEQ ACTION icmp src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)

Create a filter by IP addresses, the Type, and the Code fields of the ICMP header. These commands are available only for ICMP protocol.

Key	Argument	Description
NAME		Specify access list name
SEQ	(1-536870911	Set sequence number
ACTION	<deny|passthrough|permit|pool>	Set the action
icmp		Set the particular or any protocol
src-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set source address subnet
dst-ip	<any|A.B.C.D/M> or <any|X:X::X:X/M>	Set destination address subnet
icmp-type	(0-255) (0-255)	Set ICMP type range start and end
dst-code	(0-255) (0-255)	Set ICMP code range start and end

9.7.2. Show Commands

show <ip|ipv6> dp-access-list

clear <ip|ipv6> dp-access-list

Display all created dp-access-lists, their description and the number of matches for each rule.

show <ip|ipv6> dp-access-list NAME

clear <ip|ipv6> dp-access-list NAME

Display information for the specified ACL list.