Hi AK,

i'm having the same challenge.

If i'm accessing from outside to inside, don't i have to apply ACL and translation as the rule is saying??? or this ACL is enough to let people from outside (Eth0) to access inside server (eth1)??

BR

Fady

Hi Fady,

The mandatory standard rule is to use ACL and static map to enable your internal server to be accessed from internet. ACL itself is not enough, unless if you use NAT 0 (no translation), or if your internal network running on public IP where you need to use "static (inside,outside) xx.xx.xx.xx xx.xx.xx.xx netmask nn.nn.nn.nn

xx.xx.xx.xx - your internal IP/subnet; nn.nn.nn.nn - netmask

Example:

access-list outside permit tcp any host 192.168.1.10 eq www -> allow any host/IP

access-list outside permit ip 172.254.254.0ny host 192.168.1.10 eq www -> allow any host/IP

access-group outside in interface outside

static (inside,outside) 192.168.1.10 10.1.1.5 netmask 255.255.255.255

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1001972

Rgds,

AK

AK,

Does the NAT0 works from outside to inside????

becoz i have a Frame relay network with 8 branches and i want my branches to access my server without nating, can it be done through the firewall???

Hi Fady,

Are you using FR over public network (connected via internet), or hosted by ISP which is considered private WAN link?

You can use NAT 0 with ACL to control incoming access via specific TCP/UDP services if your internal network run on public IP (with extra careful).

Allow only specific host, not the whole subnet. Maybe use access-list to define/allow which hosts allowed under nat 0, e.g "nat (inside) 0 access-list xxx", or just "nat (inside) 0 xx.xx.xx.xx nn.nn.nn.nn (nn - netmask).

Rgds,

AK

NAT example:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113021

Thanks man