ACL in NAT

Unanswered Question
Oct 10th, 2006
User Badges:

Is it possible that you will implement a ip nat inside or ip nat outside on the interface and at the same time implement a ip access-group 5 in/out in the same interface.

I try this configuration implement a static and dynamic NAT. but when i try to include a more specific acl that aren't included in the translation i always can't go thru. e.g


int fa0/0

ip address 192.168.1.1/24

ip nat outside

ip access-group 200 in

duplex half


int fa0/1

ip address 172.16.1.1/24

ip nat inside

duplex half


access-list 5 deny 172.16.1.2

access-list 5 permit 172.16.0.0 0.0.0.255


ip nat pool limit 192.168.1.1 192.168.1.20 netmask 255.255.255.0

ip nat inside source list 1 pool limit

ip nat inside source static 172.16.1.2 192.168.1.2


access-list 200 permit tcp 10.10.10.10 eq 22 192.168.1.10 eq 22


after i apply this on the interface, the internet connection of other translation have blocked to the outside.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
grant.maynard Wed, 10/11/2006 - 04:22
User Badges:
  • Silver, 250 points or more

Your ACL is correct in that it should refer to the outside (NATed) IP addresses. But your ACL entry refers to one of the NAT pool - it should refer to a static NAT.

Actions

This Discussion