Is an ACL needed when using PAT?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 10:57 AM - edited 03-05-2019 10:22 AM
We have a single router (4331) that connects to our ISP. We do PAT (dynamic nat) to give users internet access. Now typically we'd have an OUTSIDE-IN ACL that blocks traffic from the internet. My question is, if we're using PAT and have no static 1-to-1 translations, do we even need an ACL? If yes, what would be the attack that an ACL would prevent?
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 11:47 AM
Are you using the ZBF functionality on the 4331? If yes, then you'd want an outside-in ACL that allows any inbound traffic that isn't already return traffic from inspection. If you are not using ZBF then it us up to you if you want to use an ACL, but it is not manditory. It would depend if you want to deny certain protocols inbound. See below for an example to block inbound telnet except from one IP.
ip access-list extended outside-in
permit tcp host 1.1.1.1 any eq 23
deny tcp any any eq 23
permit ip any any
interface g0/0/1
ip access-group outside-in in
