12-13-2018 04:21 AM
Hi,
As a recent CCNA R&S graduate I'm still a bit confused when it gets to extended ACL's combined with static NAT.
So I got this question; If you create an extended ACL and you use this command:
permit ip 10.0.0.1 0.0.0.0 any
All protocols are permitted with their associated ports, right?
And if you then use a static NAT command such as:
ip nat source static tcp 10.0.01 3389 interface Dialer0 3389
There shouldn't be a problem.. connecting to 10.0.0.1 through the IP of Dialer0.. Or do I have to include the protocol and port-number in the ACL?
Greeting
Marnix
12-13-2018 04:35 AM
Hi m.x,
They both are different ways of enabling NAT for specific flow/host. The use of ACL is to identify a range of source/destination while static is specific.
In your example, creating "ip nat source static tcp 10.0.01 3389 interface Dialer0 3389" will work and does not need 3389 port to be allowed on ACL. They are not related.
HTH,
Nagendra
12-13-2018 04:37 AM
12-13-2018 04:41 AM
your NAT statement is a subset of your ACL. i,e, the acl allow all IP traffic from 10.0.0.1 to any destination irrespective of ports. so your NAT statement is more specific than that as it specifies a tcp port.
interms order, I am not sure what is processed first: the acl or the NAT statement. (ASA first apply nat ingress after that the acl ingress). not sure bout ios devices to be honest
12-13-2018 04:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide