topic Network under a Network, ACL/NAT on Firewall or Switch? in Network Security https://community.cisco.com/t5/network-security/network-under-a-network-acl-nat-on-firewall-or-switch/m-p/5276221#M1120336 <P>Hey I was messing around with esxi and from FPR1010 I have a connection to an SG350XG.. On the SG I have a Network 192.168.4.0/24. That Network is connected to esxi vswitch. On there I have VM and another vswitch with 10.0.2.0/24 Network. Now, 10.0.2.0 has Internet access and all is fine but how would INCOMING ACL/NAT work? I know normal I'd NAT/ACL for the 192.168.4.x Network/Host, but what if there is another Network under that? Would I NAT/ACL to the inner host and it knows where to find it, or do I create another ACL on the switch for its subordinates? </P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Mar 2025 19:31:07 GMT TheGoob 2025-03-28T19:31:07Z Network under a Network, ACL/NAT on Firewall or Switch? https://community.cisco.com/t5/network-security/network-under-a-network-acl-nat-on-firewall-or-switch/m-p/5276221#M1120336 <P>Hey I was messing around with esxi and from FPR1010 I have a connection to an SG350XG.. On the SG I have a Network 192.168.4.0/24. That Network is connected to esxi vswitch. On there I have VM and another vswitch with 10.0.2.0/24 Network. Now, 10.0.2.0 has Internet access and all is fine but how would INCOMING ACL/NAT work? I know normal I'd NAT/ACL for the 192.168.4.x Network/Host, but what if there is another Network under that? Would I NAT/ACL to the inner host and it knows where to find it, or do I create another ACL on the switch for its subordinates? </P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Mar 2025 19:31:07 GMT https://community.cisco.com/t5/network-security/network-under-a-network-acl-nat-on-firewall-or-switch/m-p/5276221#M1120336 TheGoob 2025-03-28T19:31:07Z Re: Network under a Network, ACL/NAT on Firewall or Switch? https://community.cisco.com/t5/network-security/network-under-a-network-acl-nat-on-firewall-or-switch/m-p/5279366#M1120518 <P>It really depends on your setup. E.g., will your 1010 act as a firewall-on-a-stick with VLANs/sub-interfaces to route the traffic. Or will your SG be a L3 hop with static/dynamic routes to the 1010. A small diagram / sketch of your setup will help here.</P> <DIV id="bodyDisplay_3" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><EM>Thank you for rating helpful posts!</EM></P> </DIV> </DIV> Tue, 08 Apr 2025 14:54:03 GMT https://community.cisco.com/t5/network-security/network-under-a-network-acl-nat-on-firewall-or-switch/m-p/5279366#M1120518 nspasov 2025-04-08T14:54:03Z