01-11-2003 02:19 AM - edited 03-02-2019 04:06 AM
Hello All,
While going through NAT Chapter I came across a VERY BASIC doubt about Access Control List (ACL). They used ACL to match the source address 10.0.0.0 /24. At one place they used following ACL to explain SIMPLE NAT:
#access-list 1 permit 10.0.0.1 0.0.0.255
and at another place they used following ACL to explain STATIC NAT (where only 10.0.0.1 is STATICed):
#access-list 1 permit 10.0.0.0 0.0.0.255
Now I got a basic doubt that whats the difference between the two access-list commands WITH RESPECT TO 10.0.0.1.
Hope someone can help me to stress on my GREY cells.
regards,
-v. k. s.
01-11-2003 02:56 AM
Hi
#access-list 1 permit 10.0.0.1 0.0.0.255
and
#access-list 1 permit 10.0.0.0 0.0.0.255
both the above should allow all hosts on network 10.0.0.0
i.e. 10.0.0.1 to 10.0.0.255
this will happen because of the wild-card mask which is 0.0.0.255 (00000000.0000000.00000000.11111111) and therefore needs only to match the first 24 bits of the address and ignors the last 8 bits (in binary)
to get a specific host match, try ths
#access-list 1 permit 10.0.0.1 0.0.0.0
01-11-2003 05:09 AM
Just for completeness netmask 0.0.0.0 can be abbreviated with the alias "host" which ges in front of the address. Therefore the list can also be written (and, if you enter what vijayendra said and then do a sho running you will see):
access-list 1 permist host 10.0.0.1
Fabio
01-16-2003 05:30 PM
The two ACLs that you have posted have the same meaning in its own sense.
NAT that uses ACLs are dynamic and the one without ACLs is static.
If you want to create static translations (or permanent translations per host),
just use "ip nat inside source static local-ip global-ip".
Creating ACLs for static NAT will just waste cpu resources from the router.
So don't be confused about those two examples that you have seen. Cheers.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: