Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
2
Replies

use extended ACL with NAT

hanwucisco
Level 1
Level 1

‎07-31-2012 01:48 PM - edited ‎03-11-2019 04:36 PM

Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.

I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?

thanks in advance,

Han                  

access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0

access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0

global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_5
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 0.0.0.0 0.0.0.0

Labels:
0 Helpful
2 Replies 2

saljam100
Level 1
Level 1

‎07-31-2012 02:42 PM

Dear Han

Well if you use standard ACL its only check for source address and so all the traffic from the specific source will be Natted okay so in the scenarios like split tunnel ...etc we use mostly extended ACL to differentiate the traffic based on the destination like all the traffic for far end Lan subnet should'nt be Natted while all the other traffic which mean to be for internet should be Natted.

Hope this will clear your concept.

Regards

Salman Jamshed

Rate it if its usefull for you.

0 Helpful

nkarthikeyan
Level 7
Level 7

‎08-01-2012 01:28 AM

Hi Han,

If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.

standard ACL:

access-list 10 standard permit ip 172.16.0.0

Extended ACL:

access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80

This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.

Please do rate if the given information helps.

By

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card