Access List question

bfpnetworking · ‎06-08-2011

access-list 110 deny ip 192.168.18.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 110 deny ip 192.168.18.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 110 permit ip 192.168.18.0 0.0.0.255 any

Is the above ACL detrimental in any way to my branch traffic(192.168.18.0) reaching my HQ(172.20.0.0/172.21/0.0 or my branch location reaching Internet locations?

My question is also, do I even need the first two lines of the ACL if my goal is to allow the branch 192.168.18.0 to reach Internet sites and my HQ ip ranges?

Giuseppe Larosa · ‎06-08-2011

Hello,

if the ACL will be used to decide if source NAT has to be performed, and you have a direct link to HQ or a VPN link to HQ, the ACL simply states:

do not use NAT when talking with HQ IP subnets, use NAT in all other cases

if instead you apply the ACL directly to an interface of course you are blocking communication with HQ

so

interface

ip access-group 110 out

is a problem

route-map MyNAT permit 10

match ip address 110

ip nat source inside route-map MyNAT interface overload

is fine

Hope to help

Giuseppe