×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can you use an Extended ACLs for NAT?

Answered Question
Oct 4th, 2013
User Badges:

I tried looking this up, but frankly I didn't know what to make of the results.



Someone designed a lab, they specified that they want to use NAT.

In the instructions:


Access-list 100 will be used for the permit statement for when you're dynamically assigning an address from the NAT pool.


My problem with this is that I'm under the impression that you can only use a Standard ACL for this.

Am I correct? Or am I overlooking something?


example:

ip nat pool POOL_NAME first-ip last-ip netmask x.x.x.x overload

access-list 1 permit (local IP network)


ip nat inside source list <1-99> pool POOL_NAME



I cannot see how this would work with an extended list considering that an extended ACL implies the need for a destination address of some sort or another.

Example:

access-list 100 permit ip (local net) (destination net)


This doesn't make any sense to me when it comes to NAT.


Help?

Correct Answer by cadet alain about 3 years 10 months ago

Hi,

suppose you are using the same link for Internet access and for an IPSec VPN then you must deny the traffic using the VPN from being natted and in this case you must use an extended ACL like this:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

acces-list 101 permit ip 192.168.1.0 0.0.0.255 any


The first line denies VPN traffic between the LANs and the second permits the Internet destined traffic.


Regards


Alain



Don't forget to rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Sat, 10/05/2013 - 05:01
User Badges:
  • Purple, 4500 points or more

You can. It probably depends on the type of platform you're on, or IOS version:


R4(config)#ip nat inside source list ?

  <1-2699>  Access list number for local addresses

  WORD      Access list name for local addresses



HTH,
John

*** Please rate all useful posts ***

Guillermo Rodriguez Sat, 10/05/2013 - 17:56
User Badges:

Looks like I left out some critical information. The lab in question was directly related to VPNs, so thanks for throwing that response out there -- it really did come into place.

It makes sense to me know and I got some good knowledge out of it.



Thank you.

Correct Answer
cadet alain Sat, 10/05/2013 - 11:03
User Badges:
  • Purple, 4500 points or more

Hi,

suppose you are using the same link for Internet access and for an IPSec VPN then you must deny the traffic using the VPN from being natted and in this case you must use an extended ACL like this:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

acces-list 101 permit ip 192.168.1.0 0.0.0.255 any


The first line denies VPN traffic between the LANs and the second permits the Internet destined traffic.


Regards


Alain



Don't forget to rate helpful posts.

Actions

This Discussion