Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1128
Views
0
Helpful
1
Replies

Is an ACL needed when using PAT?

esa_fresa
Level 1
Level 1

‎05-01-2018 10:57 AM - edited ‎03-05-2019 10:22 AM

We have a single router (4331) that connects to our ISP. We do PAT (dynamic nat) to give users internet access. Now typically we'd have an OUTSIDE-IN ACL that blocks traffic from the internet. My question is, if we're using PAT and have no static 1-to-1 translations, do we even need an ACL? If yes, what would be the attack that an ACL would prevent?

Labels:
0 Helpful
1 Reply 1

Jo_Smo
Level 1
Level 1

‎05-01-2018 11:47 AM

Are you using the ZBF functionality on the 4331? If yes, then you'd want an outside-in ACL that allows any inbound traffic that isn't already return traffic from inspection. If you are not using ZBF then it us up to you if you want to use an ACL, but it is not manditory. It would depend if you want to deny certain protocols inbound. See below for an example to block inbound telnet except from one IP. 

 

ip access-list extended outside-in

 permit tcp host 1.1.1.1 any eq 23

 deny tcp any any eq 23

 permit ip any any

 

interface g0/0/1

 ip access-group outside-in in

0 Helpful
Customers Also Viewed These Support Documents