https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526179#M605704 <P>I've been digging around in the IOS 12.4 on-line documentation and finding just enough information to make me ask more questions, that I can't find answers for.&nbsp; Any help is greatly appreciated.</P><P></P><P>I have a system with one external interface and many internal network interfaces.&nbsp; For security we are looking at using RFC 1918 IP addresses for the internal networks and implementing nat for external routing. </P><P></P><P>Also for security reasons we need to ensure that only traffic for each specific subnet can route through its internal interface, both into and out of the router.&nbsp; To me, it appears that we will need a separate access-list for each interface, is this correct? </P><P></P><P>We also have security mandates that require the use of the "IP access-list extended" format.&nbsp; is that format compatible with nat?</P><P></P><P>Can an IP nat pool support more than one IP source list (access-list) or do we need one pool for each list?&nbsp; Can the IOS even support more than one pool?&nbsp; If so, is there a limit to the number of pools that are supported?</P><P></P><P>Another issue is that we will have some applications that require the end unit to have a routable IP address.&nbsp; They will have their one dedicated internal interface, but everything shares the same external interface.&nbsp; Can one external interface support both?</P><P></P><P>Manuel Dennis</P> Mon, 11 Mar 2019 19:20:01 GMT manuel.dennis 2019-03-11T19:20:01Z https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526179#M605704 <P>I've been digging around in the IOS 12.4 on-line documentation and finding just enough information to make me ask more questions, that I can't find answers for.&nbsp; Any help is greatly appreciated.</P><P></P><P>I have a system with one external interface and many internal network interfaces.&nbsp; For security we are looking at using RFC 1918 IP addresses for the internal networks and implementing nat for external routing. </P><P></P><P>Also for security reasons we need to ensure that only traffic for each specific subnet can route through its internal interface, both into and out of the router.&nbsp; To me, it appears that we will need a separate access-list for each interface, is this correct? </P><P></P><P>We also have security mandates that require the use of the "IP access-list extended" format.&nbsp; is that format compatible with nat?</P><P></P><P>Can an IP nat pool support more than one IP source list (access-list) or do we need one pool for each list?&nbsp; Can the IOS even support more than one pool?&nbsp; If so, is there a limit to the number of pools that are supported?</P><P></P><P>Another issue is that we will have some applications that require the end unit to have a routable IP address.&nbsp; They will have their one dedicated internal interface, but everything shares the same external interface.&nbsp; Can one external interface support both?</P><P></P><P>Manuel Dennis</P> Mon, 11 Mar 2019 19:20:01 GMT https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526179#M605704 manuel.dennis 2019-03-11T19:20:01Z https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526180#M605707 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>A specific ACL applied to each interface. <BR />IP access-list extended is the recommended way to go fully compatible with NAT. <BR />Recommended configuration one pool for each ACL.<BR />IOS can support many pools. <BR />You can have a mix of public/private addresses.</P><P></P><P>If you need clarification in something please let us know.</P><P></P><P>Federico.</P></BODY></HTML> Wed, 08 Dec 2010 15:22:58 GMT https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526180#M605707 Federico Coto Fajardo 2010-12-08T15:22:58Z https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526181#M605709 <HTML><HEAD></HEAD><BODY><P>The examples in the on-line documentation were somewhat limited. Your information is very helpful.&nbsp; Thank you.</P><P>Manuel Dennis</P></BODY></HTML> Wed, 08 Dec 2010 15:31:06 GMT https://community.cisco.com/t5/network-security/a-question-about-nat-configuration/m-p/1526181#M605709 manuel.dennis 2010-12-08T15:31:06Z