Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
2
Replies

NAT and ACL

sfarzin
Level 1
Level 1

‎12-23-2003 08:28 AM - edited ‎03-02-2019 12:31 PM

Hello

When configuring Static and Dynamic NAT, i've always used an ACL to block off the statically used IP address from initiating dynamic NAT, i've been doing this cause i was told this is best practice, however i really dont know the reasoning behind it!!could some one point out some of cons on NOT using a ACL to block off the statically assigned address?i've configured the same setup with OUT the ACL and the routers seem to be running fine so far!any input would be appreciated(I've done a copy&Paste from one Cisco's docs here as well)

Thanks in advance for your time

ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0

ip nat inside source list 7 pool test

ip nat inside source static 10.10.10.1 172.16.131.1

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface s 0

ip address 172.16.131.254 255.255.255.0

ip nat outside

access-list 7 deny host 10.10.10.1

access-list 7 permit 10.10.10.0 0.0.0.255

Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address, 10.10.10.1, from being able to generate NAT dynamically. This is necessary because the inside local address of 10.10.10.1 is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously.

Labels:
0 Helpful
2 Replies 2

dathaide
Level 1
Level 1

‎12-23-2003 08:49 AM

hi

I have also configured the router without the ACL for Static NAT assignments and works well just as in your case. The only CONS i see about preventing static assignment from trying to get a dynamic assignmnet would be more statements and maybe more processing on the router CPU although this may be negilible.

Just my 2 cents

0 Helpful

r.sneekes
Level 1
Level 1

‎12-24-2003 07:57 AM

There no use for the static if you don't deny it in he acl for the dynamic nat since it will then use the same dynamic adres(sen) to translate to the outside.

This is also needed for traffic initiated from the outside nat interface to be able to connect to the nat adress en thus be natted to the inside adres.

see also:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents