9.7. Access Lists

NAT access lists provide more precise control over how the subscriber traffic is translated. They allow you to perform special actions on certain types of traffic using filters.

Filters can include:

  • Protocol (UDP, TCP, ICMP, GRE, ESP),

  • Source and destination IP addresses,

  • Source and destination ports (for UDP and TCP),

  • Message type and code (for ICMP).

Action types:

Permit (permit)

This is the default action - sessions are processed according to the action specified in the subscriber group.

Deny (deny)

Prohibits creation of new sessions. All traffic for the sessions will be dropped.

Passthrough (passthrough)

New sessions will be passed transparently, without translation of addresses and ports. At the same time, session state will be monitored as in the normal NAT mode.

Pool (pool)

Sessions will be translated using the pool specified in the action.

Configuration

Note

After configuration, an access list must be assigned to a subscriber-group as described in Assigning Access Lists.

Pay attention: after the creation of the access list, the rule deny any any will be added, and it will not be shown in the running configuration file. If you want to permit any traffic, you should explicitly set the rule permit any any.

The following commands are available to configure access lists:

ip dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M>
ipv6 dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M>

Create a filter by IP addresses. These commands are available for all protocols.

Key

Argument

Description

NAME

Specify access list name

SEQ

(1-536870911

Set sequence number

ACTION

<deny|passthrough|permit|pool>

Set the action

<any|udp|tcp|icmp|gre|esp>

Set the particular or any protocol

src-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set source address subnet

dst-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set destination address subnet

ip dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)
ipv6 dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)

Create a filter by IP addresses and ports. These commands are available only for the TCP and UDP protocols.

Key

Argument

Description

NAME

Specify access list name

SEQ

(1-536870911

Set sequence number

ACTION

<deny|passthrough|permit|pool>

Set the action

<udp|tcp>

Set the particular or any protocol

src-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set source address subnet

dst-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set destination address subnet

src-port

(0-65535) (0-65535)

Set the source port range start and end

dst-port

(0-65535) (0-65535)

Set the destination port range start and end

ip dp-access-list NAME SEQ ACTION icmp src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)
ipv6 dp-access-list NAME SEQ ACTION icmp src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)

Create a filter by IP addresses, the Type, and the Code fields of the ICMP header. These commands are available only for ICMP protocol.

Key

Argument

Description

NAME

Specify access list name

SEQ

(1-536870911

Set sequence number

ACTION

<deny|passthrough|permit|pool>

Set the action

icmp

Set the particular or any protocol

src-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set source address subnet

dst-ip

<any|A.B.C.D/M> or <any|X:X::X:X/M>

Set destination address subnet

icmp-type

(0-255) (0-255)

Set ICMP type range start and end

dst-code

(0-255) (0-255)

Set ICMP code range start and end

Show Commands

show <ip|ipv6> dp-access-list
clear <ip|ipv6> dp-access-list

Display all created dp-access-lists, their description and the number of matches for each rule.

show <ip|ipv6> dp-access-list NAME
clear <ip|ipv6> dp-access-list NAME

Display information for the specified ACL list.