Nat scenario

Answered Question
Aug 19th, 2009

Hi every body.

I have this scenario

Let say we have a host h1 with ip address 10.10.10.10/24 which is connected to a Nat router. Nat router is connected to internet.

Something like that:

h1--- f0Nat-routers0---internet--Serv

We want host,h1 to be able to telnet a server at 199.199.199.199/24 only. All other communication should be blocked from h1.

==========================

I understand we can use extended acl to acheive this result. Just for my understaning, i want router to block the commuincation other than telnet to 199.199.199.199/24 from h1 by not performing nat.

Here is my attempt:

nat router:

int f0

ip nat inside

int s0

ip nat outside

access-list 111 permit tcp host 10.10.10.10 host 199.199.199.199 eq 23

ip nat inside source list 111 int s0 overload.

My resoning is before nat router can perform nat operation, desired traffic is selected by access list 111,nat router then perform nat. If host tries to access web server for example, it will not fulfil the criteria set out in access list 111, and thus be denied by the implicit deny at the end of access-list 111.

Is my reasoning correct? will the above config block any traffic other than telnet to 199.199.199.199 from h1?

Thanks a lot.

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 7 years 3 months ago

Sarah,

The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.

So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Peter Paluch Wed, 08/19/2009 - 23:09

Sarah,

The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.

So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.

Best regards,

Peter

Actions

This Discussion