ACL in NAT

Unanswered Question
Apr 14th, 2009
User Badges:

Hi, I have Natted Inside traffic on Pix. I have opened ACL- NTP traffic from Inside n/w to permit reacg Outside NTP Servers. My question is, Should I open the Returned NTP traffic too (From Outside) OR no need to open reverse traffic in NAT/PAT.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sdoremus33 Tue, 04/14/2009 - 22:06
User Badges:
  • Bronze, 100 points or more

If its no trouble could you post additional config info pertaining to the ASA

ACL(s)

NAT control commands

static translations, and so on... Thanks

Rupesh Kashyap Tue, 04/14/2009 - 22:20
User Badges:

global (outside) 12 200.200.200.30 netmask 255.255.255.255

nat (inside) 12 10.0.0.0 255.0.0.0


access-group from_inside in interface inside

Access-list from_inside permit udp10.0.0.0 255.0.0.0 any eq 123


My Question is, You can see the ACL on inside interface. There is no any acl on Outside interface. Should I open the same returning port on OUtside interface also or no ACL is required for returning traffic with NAT ???



thotsaphon Tue, 04/14/2009 - 23:06
User Badges:
  • Gold, 750 points or more

Rupesh,

That's fine. No need to allow return traffic back to the public ip address. As long as internal hosts who originate ntp (request)packets first. That's why it's called state-full.


HTH,

Toshi

Rupesh Kashyap Thu, 04/16/2009 - 01:28
User Badges:

Hi, I tested 3 routers (A->B->C). It is not working--


1. I applied NAT (Overload) on router B.

2. I initiated Ping from A to C & I am able to.

3. Now I have applied ACL on Outside interface on B to deny all traffic from outside on B.

4. After Step 3, I am not getting Ping reply on A.


My question is, why replied ICMP on B is blocked with ACL. It should bypass, as From inside, it is allowed.

thotsaphon Thu, 04/16/2009 - 01:38
User Badges:
  • Gold, 750 points or more

Rupesh,

Good question.ICMP is stateless protocol.

You need to allow "echo-reply" on ACL from outside to inside on B.


Toshi

Rupesh Kashyap Thu, 04/16/2009 - 01:41
User Badges:

Sounds good. I would do it. Beside this, I would initiate TCP Telnet command from A for C & would update you, if returned traffic would not blocked by Outside ACL.

I will post u on tomorrow.

Actions

This Discussion