Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
5
Helpful
3
Replies

Access-Lists with NAT

dukenukem
Level 1
Level 1

‎04-05-2006 09:28 AM - edited ‎03-05-2019 11:50 AM

Hi All,

Quick question for you (actually 2)

I have a 800 Router with 2 Ethernets 0 and 1.

0 is my LAN and 1 is connected to ADSL.

I use NAT. If int E1 obtains private IP from ADSL modem, then if i want to allow certain traffic to Local IP 10.0.0.2 and i wanted the ACL to be on E1, would this be ok ???

ACL

ip access-list extended 101

permit ip any host 10.0.0.2

E1

ip access-group 101 in

I mean should i specify the Private IP 10.0.0.2 or should i specify the IP That i am using for NAT (also how can i specify this is this automatic DHCP address keeps changing ???)

Second question

----------------

Also if i used public IP on my ADSL interface E1 that i am also using as NAT (overloading), how would the ACLs look like ???

I am not sure if i explained myself correctly.

Hope you can help .

George

Labels:
0 Helpful
3 Replies 3

Nicholas Vigil
Level 1
Level 1

‎04-05-2006 12:48 PM

Regarding the the acl, you would specify the NAT IP as that is the address that traffic will see from the outside.

If your public IP is 1.2.3.4 then the acl would be:

ip access-list extended 101

permit ip any host 1.2.3.4

Then the pix would accept the traffic and translate the 1.2.3.4 to 10.0.0.2 and forward it correctly assuming you have the proper NAT setup.

As for your second questions I am not sure if what you are trying to do will work unless you have a static IP. Without the static IP you will be modifying your acl everytime your IP changes.

0 Helpful

dukenukem
Level 1
Level 1
In response to Nicholas Vigil

‎04-05-2006 11:42 PM

Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.

If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????

And one more question.

I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???

how does this affect my ACLs. Is there a way around this ????

Thanks,

George

0 Helpful

balajitvk
Level 4
Level 4
In response to dukenukem

‎04-06-2006 02:16 AM

Hi George,

The first solution is seems to good...... It is better to apply to the outgoing traffic on LAN instead of applying to the public interface... where the ip is going to change everytime u connect.....

Yes for the second case also u better apply it on LAN interface..... Only some unnecessary processing will happen, but that will worth while u opt for dhcp....

Rate if it does,

Balaji.

Customers Also Viewed These Support Documents