global (outside) 12 200.200.200.30 netmask 255.255.255.255

nat (inside) 12 10.0.0.0 255.0.0.0

access-group from_inside in interface inside

Access-list from_inside permit udp10.0.0.0 255.0.0.0 any eq 123

My Question is, You can see the ACL on inside interface. There is no any acl on Outside interface. Should I open the same returning port on OUtside interface also or no ACL is required for returning traffic with NAT ???

Rupesh,

That's fine. No need to allow return traffic back to the public ip address. As long as internal hosts who originate ntp (request)packets first. That's why it's called state-full.

HTH,

Toshi

Thanks boss. I got it. I appreciate you all.

Hi, I tested 3 routers (A->B->C). It is not working--

1. I applied NAT (Overload) on router B.

2. I initiated Ping from A to C & I am able to.

3. Now I have applied ACL on Outside interface on B to deny all traffic from outside on B.

4. After Step 3, I am not getting Ping reply on A.

My question is, why replied ICMP on B is blocked with ACL. It should bypass, as From inside, it is allowed.

Rupesh,

Good question.ICMP is stateless protocol.

You need to allow "echo-reply" on ACL from outside to inside on B.

Toshi

Sounds good. I would do it. Beside this, I would initiate TCP Telnet command from A for C & would update you, if returned traffic would not blocked by Outside ACL.

I will post u on tomorrow.