9.7. Access Lists¶
NAT access lists provide more precise control over how the subscriber traffic is translated. They allow you to perform special actions on certain types of traffic using filters.
Filters can include:
Protocol (UDP, TCP, ICMP, GRE, ESP),
Source and destination IP addresses,
Source and destination ports (for UDP and TCP),
Message type and code (for ICMP).
Action types:
- Permit (
permit
) This is the default action - sessions are processed according to the action specified in the subscriber group.
- Deny (
deny
) Prohibits creation of new sessions. All traffic for the sessions will be dropped.
- Passthrough (
passthrough
) New sessions will be passed transparently, without translation of addresses and ports. At the same time, session state will be monitored as in the normal NAT mode.
- Pool (
pool
) Sessions will be translated using the pool specified in the action.
Configuration¶
Note
After configuration, an access list must be assigned to a subscriber-group as described in Assigning Access Lists.
Pay attention: after the creation of the access list, the rule deny any any
will be added, and it will not be shown in the running configuration file. If you want to permit any traffic, you should explicitly set the rule permit any any
.
The following commands are available to configure access lists:
- ip dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M>¶
- ipv6 dp-access-list NAME SEQ ACTION <any|udp|tcp|icmp|gre|esp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M>¶
Create a filter by IP addresses. These commands are available for all protocols.
Key
Argument
Description
NAME
Specify access list name
SEQ
(1-536870911
Set sequence number
ACTION
<deny|passthrough|permit|pool>
Set the action
<any|udp|tcp|icmp|gre|esp>
Set the particular or any protocol
src-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set source address subnet
dst-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set destination address subnet
- ip dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)¶
- ipv6 dp-access-list NAME SEQ ACTION <udp|tcp> src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> src-port (0-65535) (0-65535) dst-port (0-65535) (0-65535)¶
Create a filter by IP addresses and ports. These commands are available only for the TCP and UDP protocols.
Key
Argument
Description
NAME
Specify access list name
SEQ
(1-536870911
Set sequence number
ACTION
<deny|passthrough|permit|pool>
Set the action
<udp|tcp>
Set the particular or any protocol
src-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set source address subnet
dst-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set destination address subnet
src-port
(0-65535)
(0-65535)
Set the source port range start and end
dst-port
(0-65535)
(0-65535)
Set the destination port range start and end
- ip dp-access-list NAME SEQ ACTION icmp src-ip <any|A.B.C.D/M> dst-ip <any|A.B.C.D/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)¶
- ipv6 dp-access-list NAME SEQ ACTION icmp src-ip <any|X:X::X:X/M> dst-ip <any|X:X::X:X/M> icmp-type (0-255) (0-255) icmp-code (0-255) (0-255)¶
Create a filter by IP addresses, the
Type
, and theCode
fields of the ICMP header. These commands are available only for ICMP protocol.Key
Argument
Description
NAME
Specify access list name
SEQ
(1-536870911
Set sequence number
ACTION
<deny|passthrough|permit|pool>
Set the action
icmp
Set the particular or any protocol
src-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set source address subnet
dst-ip
<any|A.B.C.D/M>
or<any|X:X::X:X/M>
Set destination address subnet
icmp-type
(0-255)
(0-255)
Set ICMP type range start and end
dst-code
(0-255)
(0-255)
Set ICMP code range start and end
Show Commands¶
- show <ip|ipv6> dp-access-list¶
- clear <ip|ipv6> dp-access-list¶
Display all created dp-access-lists, their description and the number of matches for each rule.
- show <ip|ipv6> dp-access-list NAME¶
- clear <ip|ipv6> dp-access-list NAME¶
Display information for the specified ACL list.