Is an ACL needed when using PAT?

esa_fresa · ‎05-01-2018

We have a single router (4331) that connects to our ISP. We do PAT (dynamic nat) to give users internet access. Now typically we'd have an OUTSIDE-IN ACL that blocks traffic from the internet. My question is, if we're using PAT and have no static 1-to-1 translations, do we even need an ACL? If yes, what would be the attack that an ACL would prevent?

Jo_Smo · ‎05-01-2018

Are you using the ZBF functionality on the 4331? If yes, then you'd want an outside-in ACL that allows any inbound traffic that isn't already return traffic from inspection. If you are not using ZBF then it us up to you if you want to use an ACL, but it is not manditory. It would depend if you want to deny certain protocols inbound. See below for an example to block inbound telnet except from one IP.

ip access-list extended outside-in

permit tcp host 1.1.1.1 any eq 23

deny tcp any any eq 23

permit ip any any

interface g0/0/1

ip access-group outside-in in

Is an ACL needed when using PAT?

The ACL 'user-acl' is used in

PAT

Smart Licensing Using Policy の Online 方式でライセンスを適用する方法

Re: Access Control Lists (ACL) Explained

PAT problem