cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
0
Helpful
1
Replies

Is an ACL needed when using PAT?

esa_fresa
Level 1
Level 1

We have a single router (4331) that connects to our ISP. We do PAT (dynamic nat) to give users internet access. Now typically we'd have an OUTSIDE-IN ACL that blocks traffic from the internet. My question is, if we're using PAT and have no static 1-to-1 translations, do we even need an ACL? If yes, what would be the attack that an ACL would prevent?

1 Reply 1

Jo_Smo
Level 1
Level 1

Are you using the ZBF functionality on the 4331? If yes, then you'd want an outside-in ACL that allows any inbound traffic that isn't already return traffic from inspection. If you are not using ZBF then it us up to you if you want to use an ACL, but it is not manditory. It would depend if you want to deny certain protocols inbound. See below for an example to block inbound telnet except from one IP. 

 

ip access-list extended outside-in

 permit tcp host 1.1.1.1 any eq 23

 deny tcp any any eq 23

 permit ip any any

 

interface g0/0/1

 ip access-group outside-in in

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco