Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

is a NAT acl by default in or out?

where is this acl applied? traffic traveling inside to out? or outside to in? is it actually being applied on an interface?

ip nat inside source list 100 interface Ethernet0/0 overload

also is this where i would decide what traffic i want to allow into my router? or would i make a seperate acl and apply it to an interface?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: is a NAT acl by default in or out?

I see, there might have been a slight error in the framing of my sentence....

If you use a private address inside your network, and use NAT at border, anybody in the internet can reach a PC on the inside, only if you have configured NAT translation (say a static translation). That way NAT does provide security.

Even with this configuration, external interface should respond to pings.

3 REPLIES

Re: is a NAT acl by default in or out?

The access-list that you specify in the ip nat command, is like a Interesting traffic selector. Those packets which are matched by access list 100 will be NATed. The rest will bypass NAT. So this access list is actually used to match all incoming packets on the inside interface of NAT router( that is the interface on which you have applied the command - "ip nat inside")

To allow/disallow packets to/from router you cannot use NAT. YOu need to create separate accesslists and permit/deny the required subnets (depends on what policy you want) and apply inbound on the wan interface which would restrict inbound connections or apply outbound, if you want to restrict outbound connections.

You shouldnt confuse accesslist used in NAT command, with the access lists applied using (ip access-group) commands on the interface.

New Member

Re: is a NAT acl by default in or out?

thanks that cleared some stuff up. heres another question that you might be able to field for me. you said that you cannot allow disallow packets to/from a router using nat. but what if i have a nat router and i want to only allow incoming traffic (http, icmp type 8, and ftp) then using nat i would static translate those to internal servers. but i want to the external int to respond to icmp pings. doable?

Re: is a NAT acl by default in or out?

I see, there might have been a slight error in the framing of my sentence....

If you use a private address inside your network, and use NAT at border, anybody in the internet can reach a PC on the inside, only if you have configured NAT translation (say a static translation). That way NAT does provide security.

Even with this configuration, external interface should respond to pings.

90
Views
0
Helpful
3
Replies
CreatePlease to create content