Solved: NAT and Extended ACLs

Peter.D.Brown · ‎11-25-2008

Hi there,

I'm investigating an issue involving NAT and I'm unsure what gets translated to what based on the following config (from Cisco IOS NAT on a 6500 switch). I was under the impression that NAT used standard access lists but this one's an extended. The NAT uses the same access-list that's applied to control access through the interface (with the access-group command).

I'm sure this must be a valid config as it's been in place for a long time. Does it mean that when a packet comes into the interface designated as 'outside' (Fa3/43) that the source address of it will be NATed to something in the NAT pool as long as the destination and the port equal something in the access list? Taking the first line as an example (and let's just say that there is only one line) does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?

Thanks in advance for any advice.

----------------------------------------------------------

interface Vlan2

ip address 10.162.52.253 255.255.252.0

ip nat inside

interface FastEthernet3/7

ip address 10.162.254.77 255.255.255.252

ip nat inside

interface FastEthernet3/43

ip address 10.162.244.1 255.255.255.248

ip access-group monitor-servers in

ip nat outside

ip nat pool nat_pool_1 10.162.244.65 10.162.244.125 netmask 255.255.255.192

ip nat outside source list monitor-servers pool nat_pool_1

ip access-list extended monitor-servers

permit tcp host 172.19.198.42 host 10.162.53.32 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.73 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.74 eq ftp

permit tcp host 172.19.198.42 host 10.162.20.30 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.32 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.73 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.74 eq telnet

permit tcp host 172.19.198.42 host 10.162.20.30 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.32 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.73 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.74 eq 1433

permit tcp host 172.19.198.42 host 10.162.20.30 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.32 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.73 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.74 eq 1721

permit tcp host 172.19.198.42 host 10.162.20.30 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.32 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.73 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.74 eq 4105

permit tcp host 172.19.198.42 host 10.162.20.30 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7001

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7003

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7774

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7774

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7774

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7774

permit udp host 172.19.198.42 host 10.162.53.32 eq snmp

permit udp host 172.19.198.42 host 10.162.53.73 eq snmp

permit udp host 172.19.198.42 host 10.162.53.74 eq snmp

permit udp host 172.19.198.42 host 10.162.20.30 eq snmp

permit udp host 172.19.198.42 host 10.162.53.32 eq snmptrap

permit udp host 172.19.198.42 host 10.162.53.73 eq snmptrap

permit udp host 172.19.198.42 host 10.162.53.74 eq snmptrap

Edison Ortiz · ‎11-25-2008

does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?

That's correct.

__

Edison.

View solution in original post

Edison Ortiz · ‎11-25-2008

does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?

That's correct.

__

Edison.