Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
1
Replies

Nat scenario

Go to solution
sarahr202
Level 5
Level 5

‎08-19-2009 09:41 PM - edited ‎03-06-2019 07:20 AM

Hi every body.

I have this scenario

Let say we have a host h1 with ip address 10.10.10.10/24 which is connected to a Nat router. Nat router is connected to internet.

Something like that:

h1--- f0Nat-routers0---internet--Serv

We want host,h1 to be able to telnet a server at 199.199.199.199/24 only. All other communication should be blocked from h1.

==========================

I understand we can use extended acl to acheive this result. Just for my understaning, i want router to block the commuincation other than telnet to 199.199.199.199/24 from h1 by not performing nat.

Here is my attempt:

nat router:

int f0

ip nat inside

int s0

ip nat outside

access-list 111 permit tcp host 10.10.10.10 host 199.199.199.199 eq 23

ip nat inside source list 111 int s0 overload.

My resoning is before nat router can perform nat operation, desired traffic is selected by access list 111,nat router then perform nat. If host tries to access web server for example, it will not fulfil the criteria set out in access list 111, and thus be denied by the implicit deny at the end of access-list 111.

Is my reasoning correct? will the above config block any traffic other than telnet to 199.199.199.199 from h1?

Thanks a lot.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-19-2009 11:09 PM

Sarah,

The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.

So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.

Best regards,

Peter

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-19-2009 11:09 PM

Sarah,

The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.

So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card