Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
15
Helpful
4
Replies

Extended ACL Question

m.x
Level 1
Level 1

‎12-13-2018 04:21 AM

Hi,

 

As a recent CCNA R&S graduate I'm still a bit confused when it gets to extended ACL's combined with static NAT.

So I got this question; If you create an extended ACL and you use this command:

permit ip 10.0.0.1 0.0.0.0 any 
All protocols are permitted with their associated ports, right?

 

And if you then use a static NAT command such as:

ip nat source static tcp 10.0.01 3389 interface Dialer0 3389

 

There shouldn't be a problem.. connecting to 10.0.0.1 through the IP of Dialer0.. Or do I have to include the protocol and port-number in the ACL? 

 

Greeting 

Marnix

Labels:
0 Helpful
4 Replies 4

Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎12-13-2018 04:35 AM

Hi m.x,

 

They both are different ways of enabling NAT for specific flow/host. The use of ACL is to identify a range of source/destination while static is specific.

 

In your example, creating "ip nat source static tcp 10.0.01 3389 interface Dialer0 3389" will work and does not need 3389 port to be allowed on ACL. They are not related.

 

HTH,

Nagendra

Kasun Bandara
VIP
VIP

‎12-13-2018 04:37 AM

hi,

yes. you can use this format. but in ACL, if you use 0.0.0.0 as a subnet mask that it equal to word 'any'. so use correct subject. from
also use nat command like below format
ip nat outside source static tcp <inside ip> <inside port> <outside ip> <outside port> extendable
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Dennis Mink
VIP Alumni
VIP Alumni

‎12-13-2018 04:41 AM

your NAT statement is a subset of your ACL. i,e, the acl allow all IP traffic from 10.0.0.1 to any destination irrespective of ports. so your NAT statement is more specific than that as it specifies a tcp port.

 

interms order, I am not sure what is processed first: the acl or the NAT statement. (ASA first apply nat ingress after that the acl ingress). not sure bout ios devices to be honest

Please remember to rate useful posts, by clicking on the stars below.

m.x
Level 1
Level 1
In response to Dennis Mink

‎12-13-2018 04:50 AM

Thank you all for replying! Very helpful!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card