Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
3
Replies

is a NAT acl by default in or out?

Go to solution
m.matteson
Level 2
Level 2

‎11-21-2002 12:30 PM - edited ‎03-02-2019 03:05 AM

where is this acl applied? traffic traveling inside to out? or outside to in? is it actually being applied on an interface?

ip nat inside source list 100 interface Ethernet0/0 overload

also is this where i would decide what traffic i want to allow into my router? or would i make a seperate acl and apply it to an interface?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thisisshanky
Level 11
Level 11
In response to m.matteson

‎11-21-2002 12:51 PM

I see, there might have been a slight error in the framing of my sentence....

If you use a private address inside your network, and use NAT at border, anybody in the internet can reach a PC on the inside, only if you have configured NAT translation (say a static translation). That way NAT does provide security.

Even with this configuration, external interface should respond to pings.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

0 Helpful
3 Replies 3

Go to solution
thisisshanky
Level 11
Level 11

‎11-21-2002 12:39 PM

The access-list that you specify in the ip nat command, is like a Interesting traffic selector. Those packets which are matched by access list 100 will be NATed. The rest will bypass NAT. So this access list is actually used to match all incoming packets on the inside interface of NAT router( that is the interface on which you have applied the command - "ip nat inside")

To allow/disallow packets to/from router you cannot use NAT. YOu need to create separate accesslists and permit/deny the required subnets (depends on what policy you want) and apply inbound on the wan interface which would restrict inbound connections or apply outbound, if you want to restrict outbound connections.

You shouldnt confuse accesslist used in NAT command, with the access lists applied using (ip access-group) commands on the interface.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

Go to solution
m.matteson
Level 2
Level 2
In response to thisisshanky

‎11-21-2002 12:46 PM

thanks that cleared some stuff up. heres another question that you might be able to field for me. you said that you cannot allow disallow packets to/from a router using nat. but what if i have a nat router and i want to only allow incoming traffic (http, icmp type 8, and ftp) then using nat i would static translate those to internal servers. but i want to the external int to respond to icmp pings. doable?

0 Helpful

Go to solution
thisisshanky
Level 11
Level 11
In response to m.matteson

‎11-21-2002 12:51 PM

I see, there might have been a slight error in the framing of my sentence....

If you use a private address inside your network, and use NAT at border, anybody in the internet can reach a PC on the inside, only if you have configured NAT translation (say a static translation). That way NAT does provide security.

Even with this configuration, external interface should respond to pings.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card