NAT - config Review

Unanswered Question
Jun 17th, 2009


I need to allow only http traffic on the natted IP ( via acl ) and block all connection initiated from outside to inside.

Only allow connection initiated from inside to outside

M i missing anything,

********Configuration ******************


ip subnet-zero

ip domain lookup source-interface FastEthernet0/0

ip name-server

interface FastEthernet0/0

description Connected to ISP

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


interface FastEthernet0/1

description Connection to LAN-Switch

ip address

ip accounting output-packets

ip nat inside

ip virtual-reassembly

duplex auto

speed auto


ip classless

ip route

ip route

no ip http server

no ip http secure-server

ip nat inside source static

access-list 50 permit

access-list 50 deny any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 06/17/2009 - 03:32


Where is acl 50 being used ?.

Can you just clarify, you want

1) all internal clients to be allowed to initiate connections to the Internet


2) you want to allow internet access to on port 80

If this isn't what you want can you be more specific.


ronald.ramzy Wed, 06/17/2009 - 04:17

ACL 50 was earlier used with IP NAT Pool which i removed with static NAT.

(1) all web traffic from inside goes to ISA server. so I want Microsoft ISA Server to initiate traffic from inside to Outside

(2) No traffic should initiate from Internet to Microsoft ISA Server

Since there is no firewall, I want to secure the connection as much as possible

John Blakley Wed, 06/17/2009 - 06:45


If you're wanting to allow traffic from the outside in, you can do one-to-one nat (like you are) and then block with the acl:

ip nat inside source static

ip access-list ext OUTSIDE

permit tcp any host eq 80

permit tcp any any established

deny ip any any

int fa0/0

ip access-group OUTSIDE in




This Discussion