Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic ACL Question...

Hello All,

While going through NAT Chapter I came across a VERY BASIC doubt about Access Control List (ACL). They used ACL to match the source address 10.0.0.0 /24. At one place they used following ACL to explain SIMPLE NAT:

#access-list 1 permit 10.0.0.1 0.0.0.255

and at another place they used following ACL to explain STATIC NAT (where only 10.0.0.1 is STATICed):

#access-list 1 permit 10.0.0.0 0.0.0.255

Now I got a basic doubt that whats the difference between the two access-list commands WITH RESPECT TO 10.0.0.1.

Hope someone can help me to stress on my GREY cells.

regards,

-v. k. s.

  • Other Network Infrastructure Subjects
3 REPLIES
New Member

Re: Basic ACL Question...

Hi

#access-list 1 permit 10.0.0.1 0.0.0.255

and

#access-list 1 permit 10.0.0.0 0.0.0.255

both the above should allow all hosts on network 10.0.0.0

i.e. 10.0.0.1 to 10.0.0.255

this will happen because of the wild-card mask which is 0.0.0.255 (00000000.0000000.00000000.11111111) and therefore needs only to match the first 24 bits of the address and ignors the last 8 bits (in binary)

to get a specific host match, try ths

#access-list 1 permit 10.0.0.1 0.0.0.0

New Member

Re: Basic ACL Question...

Just for completeness netmask 0.0.0.0 can be abbreviated with the alias "host" which ges in front of the address. Therefore the list can also be written (and, if you enter what vijayendra said and then do a sho running you will see):

access-list 1 permist host 10.0.0.1

Fabio

Bronze

Re: Basic ACL Question...

The two ACLs that you have posted have the same meaning in its own sense.

NAT that uses ACLs are dynamic and the one without ACLs is static.

If you want to create static translations (or permanent translations per host),

just use "ip nat inside source static local-ip global-ip".

Creating ACLs for static NAT will just waste cpu resources from the router.

So don't be confused about those two examples that you have seen. Cheers.

Hope this helps.

96
Views
0
Helpful
3
Replies