Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
10
Helpful
7
Replies

NAT and ACL's Inquiry????

Charlie Mayes
Level 1
Level 1

‎09-24-2011 11:17 AM - edited ‎03-11-2019 02:29 PM

Hello All,

         Does anyone have any idea on what training I can use to train myself on the new ACL's and NAT setup for 8.3 code and up? I am pretty comfortable with 8.2 but now that everything is leaving that code I need to get with it. I am open to any books or docs everything may have in mind. Thanks.

Labels:
0 Helpful
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

‎09-24-2011 11:23 AM

Hi,

there are excellent docs here that explain that very well, just do a search in the docs in this section and you'll find what you want.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-24-2011 12:16 PM

Hello Iketurner,

Just to let you know the big change from 8.2 to 8.3 and prior regarding the ACLs is that you now got to point to the private IPs instead of the public ones (Natted ones).

Here you have the document you are looking for:

https://supportforums.cisco.com/docs/DOC-12690

Hope this helps, any other question let me know, otherwise please mark the question as answered.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Julio Carvajal

‎09-24-2011 04:01 PM

Julio

Thanks for that link. I knew about the NAT changes but i missed the bit about acl's until i saw this doc.

Have to say the acl update seems completely illogical to me as traffic arriving on the outside interface will not have the private IP as the destination IP address.

Does this mean that NAT is now being done before the acl on the outside interface is checked ?

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎09-24-2011 06:48 PM

Hi Jon,

Yes, you are correct. Now the NAT is performed first before the access-list check on the firewall. If you run a packet-tracer, it would show UN_NAT first and then ACL is hit. Now picture this situation, that you have quite large configuration and for some reason you have to change your ISP now. Due to the usage of Private IP's in ACL, you are saved from making any changes in it and just need to add the public IP's in the object group created for NAT.

Hope this makes sense to you.

Thanks,

Varun

Thanks,
Varun Rao

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎09-24-2011 06:48 PM

Yes Jon. You are absolutely right.

Try packet tracer on the new 8.3+ code and you will see this.

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-192.168.2.2-05

nat (inside,outside) static interface service tcp ftp ftp

Additional Information:

NAT divert to egress interface inside

Untranslate 172.18.254.34/21 to 192.168.2.2/21

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface outside

access-list acl-outside extended permit tcp any any eq ftp

Additional Information:

-Kureli

Jon Marshall
Hall of Fame
Hall of Fame
In response to Kureli Sankar

‎09-26-2011 11:18 AM

Varun / Kureli

Thanks for confirming this. Good point about not needing to change IPs if you change ISP.

Jon

0 Helpful

varrao
Level 10
Level 10
In response to Jon Marshall

‎09-26-2011 11:41 AM

Hi Jon,

Glad I could help

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card