02-08-2017 09:27 AM - edited 03-05-2019 08:00 AM
Question about the need for an ACL when using NAT on a 1941 router.
I have a very simple configuration where I NAT all inside traffic to the Internet-facing public IP address assigned by my ISP. It's basically something like this:
interface serial0/0
ip address 1.2.3.4 255.255.255.252
ip nat outside
Interface gi0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source list 1 interface serial0/0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
All traffic is from inside to outside, no inbound traffic is needed (except, of course, in response to my outbound initiated traffic). Is an ACL on the outside interface still needed here or will the NAT be sufficient to prevent inbound initiated traffic from accessing any of my inside hosts?
Solved! Go to Solution.
02-08-2017 09:52 AM
Hi
only your config is enough.
Also the following link could be useful:
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
:-)
02-08-2017 12:47 PM
Hello,
Your configuration ensures that only the hosts on your 192.168.1.1 255.255.255.0 network whose packets enter through the gi0 / 0 Interface can be translated to the outside interface, you do not need anything else.
Regards,
-Remember to rate the useful posts.
02-08-2017 09:52 AM
Hi
only your config is enough.
Also the following link could be useful:
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
:-)
02-08-2017 12:47 PM
Hello,
Your configuration ensures that only the hosts on your 192.168.1.1 255.255.255.0 network whose packets enter through the gi0 / 0 Interface can be translated to the outside interface, you do not need anything else.
Regards,
-Remember to rate the useful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide