I tried looking this up, but frankly I didn't know what to make of the results.
Someone designed a lab, they specified that they want to use NAT.
In the instructions:
Access-list 100 will be used for the permit statement for when you're dynamically assigning an address from the NAT pool.
My problem with this is that I'm under the impression that you can only use a Standard ACL for this.
Am I correct? Or am I overlooking something?
ip nat pool POOL_NAME first-ip last-ip netmask x.x.x.x overload
access-list 1 permit (local IP network)
ip nat inside source list <1-99> pool POOL_NAME
I cannot see how this would work with an extended list considering that an extended ACL implies the need for a destination address of some sort or another.
access-list 100 permit ip (local net) (destination net)
This doesn't make any sense to me when it comes to NAT.
suppose you are using the same link for Internet access and for an IPSec VPN then you must deny the traffic using the VPN from being natted and in this case you must use an extended ACL like this:
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
acces-list 101 permit ip 192.168.1.0 0.0.0.255 any
The first line denies VPN traffic between the LANs and the second permits the Internet destined traffic.
Don't forget to rate helpful posts.