https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955437#M401397 <HTML><HEAD></HEAD><BODY><P> Hi Han,</P><P></P><P>If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.</P><P></P><P>standard ACL:</P><P>access-list 10 standard permit ip 172.16.0.0</P><P></P><P>Extended ACL:</P><P>access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80</P><P></P><P>This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.</P><P></P><P>Please do rate if the given information helps.</P><P></P><P>By</P><P></P><P>Karthik</P></BODY></HTML> Wed, 01 Aug 2012 08:28:06 GMT nkarthikeyan 2012-08-01T08:28:06Z https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955435#M401395 <P>Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.</P><P></P><P>I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough? </P><P></P><P>thanks in advance,</P><P></P><P>Han&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P>access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0<BR />access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0<BR />access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0</P><P>access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0<BR />access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0<BR />access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0</P><P>global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0<BR />global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255<BR />nat (inside) 0 access-list inside_nat0_outbound_5<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />nat (dmz) 0 access-list dmz_nat0_outbound<BR />nat (dmz) 2 0.0.0.0 0.0.0.0</P> Mon, 11 Mar 2019 23:36:49 GMT https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955435#M401395 hanwucisco 2019-03-11T23:36:49Z https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955436#M401396 <HTML><HEAD></HEAD><BODY><P> Dear Han</P><P></P><P>Well if you use standard ACL its only check for source address and so all the traffic from the specific source will be Natted okay so in the scenarios like split tunnel ...etc we use mostly extended ACL to differentiate the traffic based on the destination like all the traffic for far end Lan subnet should'nt be Natted while all the other traffic which mean to be for internet should be Natted.</P><P></P><P>Hope this will clear your concept.</P><P></P><P>Regards</P><P>Salman Jamshed</P><P></P><P>Rate it if its usefull for you.</P></BODY></HTML> Tue, 31 Jul 2012 21:42:49 GMT https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955436#M401396 saljam100 2012-07-31T21:42:49Z https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955437#M401397 <HTML><HEAD></HEAD><BODY><P> Hi Han,</P><P></P><P>If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.</P><P></P><P>standard ACL:</P><P>access-list 10 standard permit ip 172.16.0.0</P><P></P><P>Extended ACL:</P><P>access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80</P><P></P><P>This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.</P><P></P><P>Please do rate if the given information helps.</P><P></P><P>By</P><P></P><P>Karthik</P></BODY></HTML> Wed, 01 Aug 2012 08:28:06 GMT https://community.cisco.com/t5/network-security/use-extended-acl-with-nat/m-p/1955437#M401397 nkarthikeyan 2012-08-01T08:28:06Z