- Bronze, 100 points or more
Hi every body.
I have this scenario
Let say we have a host h1 with ip address 10.10.10.10/24 which is connected to a Nat router. Nat router is connected to internet.
Something like that:
We want host,h1 to be able to telnet a server at 220.127.116.11/24 only. All other communication should be blocked from h1.
I understand we can use extended acl to acheive this result. Just for my understaning, i want router to block the commuincation other than telnet to 18.104.22.168/24 from h1 by not performing nat.
Here is my attempt:
ip nat inside
ip nat outside
access-list 111 permit tcp host 10.10.10.10 host 22.214.171.124 eq 23
ip nat inside source list 111 int s0 overload.
My resoning is before nat router can perform nat operation, desired traffic is selected by access list 111,nat router then perform nat. If host tries to access web server for example, it will not fulfil the criteria set out in access list 111, and thus be denied by the implicit deny at the end of access-list 111.
Is my reasoning correct? will the above config block any traffic other than telnet to 126.96.36.199 from h1?
Thanks a lot.
The ACL used in the "ip nat inside" command defines only which internal addresses should be translated but does not block the flow of traffic. If your ACL 111 permits an IP, then it will be translated using NAT. If, however, it denies an IP, then the packet will go out untranslated - but it won't be filtered. The communication in effect will be disabled not because the the packet was filtered, but merely because it went away with a private source IP address to which no reply can be sent on public internet.
So to filter traffic, you need to use an ACL on the Fa0 interface in the traditional way - "ip access-group N in". Depending on your requirements, it can be the same ACL as the one used in NAT but usually, two distinct ACLs are used.