Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

use extended ACL with NAT

Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.

I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?

thanks in advance,

Han                  

access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0

access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0

global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_5
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 0.0.0.0 0.0.0.0

2 REPLIES
Community Member

use extended ACL with NAT

Dear Han

Well if you use standard ACL its only check for source address and so all the traffic from the specific source will be Natted okay so in the scenarios like split tunnel ...etc we use mostly extended ACL to differentiate the traffic based on the destination like all the traffic for far end Lan subnet should'nt be Natted while all the other traffic which mean to be for internet should be Natted.

Hope this will clear your concept.

Regards

Salman Jamshed

Rate it if its usefull for you.

use extended ACL with NAT

Hi Han,

If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.

standard ACL:

access-list 10 standard permit ip 172.16.0.0

Extended ACL:

access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80

This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.

Please do rate if the given information helps.

By

Karthik

406
Views
0
Helpful
2
Replies
CreatePlease to create content