04-14-2009 08:08 PM - edited 03-04-2019 04:22 AM
Hi, I have Natted Inside traffic on Pix. I have opened ACL- NTP traffic from Inside n/w to permit reacg Outside NTP Servers. My question is, Should I open the Returned NTP traffic too (From Outside) OR no need to open reverse traffic in NAT/PAT.
04-14-2009 10:06 PM
If its no trouble could you post additional config info pertaining to the ASA
ACL(s)
NAT control commands
static translations, and so on... Thanks
04-14-2009 10:20 PM
global (outside) 12 200.200.200.30 netmask 255.255.255.255
nat (inside) 12 10.0.0.0 255.0.0.0
access-group from_inside in interface inside
Access-list from_inside permit udp10.0.0.0 255.0.0.0 any eq 123
My Question is, You can see the ACL on inside interface. There is no any acl on Outside interface. Should I open the same returning port on OUtside interface also or no ACL is required for returning traffic with NAT ???
04-14-2009 11:06 PM
Rupesh,
That's fine. No need to allow return traffic back to the public ip address. As long as internal hosts who originate ntp (request)packets first. That's why it's called state-full.
HTH,
Toshi
04-14-2009 11:47 PM
Thanks boss. I got it. I appreciate you all.
04-16-2009 01:28 AM
Hi, I tested 3 routers (A->B->C). It is not working--
1. I applied NAT (Overload) on router B.
2. I initiated Ping from A to C & I am able to.
3. Now I have applied ACL on Outside interface on B to deny all traffic from outside on B.
4. After Step 3, I am not getting Ping reply on A.
My question is, why replied ICMP on B is blocked with ACL. It should bypass, as From inside, it is allowed.
04-16-2009 01:38 AM
Rupesh,
Good question.ICMP is stateless protocol.
You need to allow "echo-reply" on ACL from outside to inside on B.
Toshi
04-16-2009 01:41 AM
Sounds good. I would do it. Beside this, I would initiate TCP Telnet command from A for C & would update you, if returned traffic would not blocked by Outside ACL.
I will post u on tomorrow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide