Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
2
Replies

ACL needed with simple NAT?

Go to solution
erik.winberg
Level 1
Level 1

‎02-08-2017 09:27 AM - edited ‎03-05-2019 08:00 AM

Question about the need for an ACL when using NAT on a 1941 router.

I have a very simple configuration where I NAT all inside traffic to the Internet-facing public IP address assigned by my ISP. It's basically something like this:

interface serial0/0

ip address 1.2.3.4 255.255.255.252
ip nat outside

Interface gi0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip nat inside source list 1 interface serial0/0 overload

access-list 1 permit 192.168.1.0 0.0.0.255

All traffic is from inside to outside, no inbound traffic is needed (except, of course, in response to my outbound initiated traffic). Is an ACL on the outside interface still needed here or will the NAT be sufficient to prevent inbound initiated traffic from accessing any of my inside hosts?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP

‎02-08-2017 09:52 AM

Hi

only your config is enough.

Also the following link could be useful:

http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful

Go to solution
Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎02-08-2017 12:47 PM

Hello,


Your configuration ensures that only the hosts on your 192.168.1.1 255.255.255.0 network whose packets enter through the gi0 / 0 Interface can be translated to the outside interface, you do not need anything else.

Regards,

-Remember to rate the useful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio E. Moisa
VIP
VIP

‎02-08-2017 09:52 AM

Hi

only your config is enough.

Also the following link could be useful:

http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎02-08-2017 12:47 PM

Hello,


Your configuration ensures that only the hosts on your 192.168.1.1 255.255.255.0 network whose packets enter through the gi0 / 0 Interface can be translated to the outside interface, you do not need anything else.

Regards,

-Remember to rate the useful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card