08-19-2009 09:41 PM - edited 03-06-2019 07:20 AM
Hi every body.
I have this scenario
Let say we have a host h1 with ip address 10.10.10.10/24 which is connected to a Nat router. Nat router is connected to internet.
Something like that:
h1--- f0Nat-routers0---internet--Serv
We want host,h1 to be able to telnet a server at 199.199.199.199/24 only. All other communication should be blocked from h1.
==========================
I understand we can use extended acl to acheive this result. Just for my understaning, i want router to block the commuincation other than telnet to 199.199.199.199/24 from h1 by not performing nat.
Here is my attempt:
nat router:
int f0
ip nat inside
int s0
ip nat outside
access-list 111 permit tcp host 10.10.10.10 host 199.199.199.199 eq 23
ip nat inside source list 111 int s0 overload.
My resoning is before nat router can perform nat operation, desired traffic is selected by access list 111,nat router then perform nat. If host tries to access web server for example, it will not fulfil the criteria set out in access list 111, and thus be denied by the implicit deny at the end of access-list 111.
Is my reasoning correct? will the above config block any traffic other than telnet to 199.199.199.199 from h1?
Thanks a lot.
Solved! Go to Solution.
08-19-2009 11:09 PM
Sarah,
The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.
So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.
Best regards,
Peter
08-19-2009 11:09 PM
Sarah,
The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.
So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide