NAT and Extended ACLs

Answered Question
Nov 25th, 2008
User Badges:

Hi there,

I'm investigating an issue involving NAT and I'm unsure what gets translated to what based on the following config (from Cisco IOS NAT on a 6500 switch). I was under the impression that NAT used standard access lists but this one's an extended. The NAT uses the same access-list that's applied to control access through the interface (with the access-group command).


I'm sure this must be a valid config as it's been in place for a long time. Does it mean that when a packet comes into the interface designated as 'outside' (Fa3/43) that the source address of it will be NATed to something in the NAT pool as long as the destination and the port equal something in the access list? Taking the first line as an example (and let's just say that there is only one line) does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?


Thanks in advance for any advice.


----------------------------------------------------------


interface Vlan2

ip address 10.162.52.253 255.255.252.0

ip nat inside


interface FastEthernet3/7

ip address 10.162.254.77 255.255.255.252

ip nat inside


interface FastEthernet3/43

ip address 10.162.244.1 255.255.255.248

ip access-group monitor-servers in

ip nat outside


ip nat pool nat_pool_1 10.162.244.65 10.162.244.125 netmask 255.255.255.192


ip nat outside source list monitor-servers pool nat_pool_1


ip access-list extended monitor-servers

permit tcp host 172.19.198.42 host 10.162.53.32 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.73 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.74 eq ftp

permit tcp host 172.19.198.42 host 10.162.20.30 eq ftp

permit tcp host 172.19.198.42 host 10.162.53.32 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.73 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.74 eq telnet

permit tcp host 172.19.198.42 host 10.162.20.30 eq telnet

permit tcp host 172.19.198.42 host 10.162.53.32 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.73 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.74 eq 1433

permit tcp host 172.19.198.42 host 10.162.20.30 eq 1433

permit tcp host 172.19.198.42 host 10.162.53.32 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.73 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.74 eq 1721

permit tcp host 172.19.198.42 host 10.162.20.30 eq 1721

permit tcp host 172.19.198.42 host 10.162.53.32 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.73 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.74 eq 4105

permit tcp host 172.19.198.42 host 10.162.20.30 eq 4105

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7001

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7001

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7003

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7003

permit tcp host 172.19.198.42 host 10.162.53.32 eq 7774

permit tcp host 172.19.198.42 host 10.162.53.73 eq 7774

permit tcp host 172.19.198.42 host 10.162.53.74 eq 7774

permit tcp host 172.19.198.42 host 10.162.20.30 eq 7774

permit udp host 172.19.198.42 host 10.162.53.32 eq snmp

permit udp host 172.19.198.42 host 10.162.53.73 eq snmp

permit udp host 172.19.198.42 host 10.162.53.74 eq snmp

permit udp host 172.19.198.42 host 10.162.20.30 eq snmp

permit udp host 172.19.198.42 host 10.162.53.32 eq snmptrap

permit udp host 172.19.198.42 host 10.162.53.73 eq snmptrap

permit udp host 172.19.198.42 host 10.162.53.74 eq snmptrap

Correct Answer by Edison Ortiz about 8 years 4 months ago

does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?


That's correct.


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Edison Ortiz Tue, 11/25/2008 - 07:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

does it mean that if a tcp packet comes from host 172.19.198.42 destined for host 10.162.53.32 and on port 21 then it will have the source address NATed, and if it doesn't match all of these criteria then it won't be NATed?


That's correct.


__


Edison.

Actions

This Discussion