Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-Lists with NAT

Hi All,

Quick question for you (actually 2)

I have a 800 Router with 2 Ethernets 0 and 1.

0 is my LAN and 1 is connected to ADSL.

I use NAT. If int E1 obtains private IP from ADSL modem, then if i want to allow certain traffic to Local IP and i wanted the ACL to be on E1, would this be ok ???


ip access-list extended 101

permit ip any host


ip access-group 101 in

I mean should i specify the Private IP or should i specify the IP That i am using for NAT (also how can i specify this is this automatic DHCP address keeps changing ???)

Second question


Also if i used public IP on my ADSL interface E1 that i am also using as NAT (overloading), how would the ACLs look like ???

I am not sure if i explained myself correctly.

Hope you can help .


New Member

Re: Access-Lists with NAT

Regarding the the acl, you would specify the NAT IP as that is the address that traffic will see from the outside.

If your public IP is then the acl would be:

ip access-list extended 101

permit ip any host

Then the pix would accept the traffic and translate the to and forward it correctly assuming you have the proper NAT setup.

As for your second questions I am not sure if what you are trying to do will work unless you have a static IP. Without the static IP you will be modifying your acl everytime your IP changes.

New Member

Re: Access-Lists with NAT

Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.

If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????

And one more question.

I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???

how does this affect my ACLs. Is there a way around this ????




Re: Access-Lists with NAT

Hi George,

The first solution is seems to good...... It is better to apply to the outgoing traffic on LAN instead of applying to the public interface... where the ip is going to change everytime u connect.....

Yes for the second case also u better apply it on LAN interface..... Only some unnecessary processing will happen, but that will worth while u opt for dhcp....

Rate if it does,


CreatePlease login to create content