Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NAT and ACL

Hello

When configuring Static and Dynamic NAT, i've always used an ACL to block off the statically used IP address from initiating dynamic NAT, i've been doing this cause i was told this is best practice, however i really dont know the reasoning behind it!!could some one point out some of cons on NOT using a ACL to block off the statically assigned address?i've configured the same setup with OUT the ACL and the routers seem to be running fine so far!any input would be appreciated(I've done a copy&Paste from one Cisco's docs here as well)

Thanks in advance for your time

ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0

ip nat inside source list 7 pool test

ip nat inside source static 10.10.10.1 172.16.131.1

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface s 0

ip address 172.16.131.254 255.255.255.0

ip nat outside

access-list 7 deny host 10.10.10.1

access-list 7 permit 10.10.10.0 0.0.0.255

Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address, 10.10.10.1, from being able to generate NAT dynamically. This is necessary because the inside local address of 10.10.10.1 is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously.

2 REPLIES
Community Member

Re: NAT and ACL

hi

I have also configured the router without the ACL for Static NAT assignments and works well just as in your case. The only CONS i see about preventing static assignment from trying to get a dynamic assignmnet would be more statements and maybe more processing on the router CPU although this may be negilible.

Just my 2 cents

Community Member

Re: NAT and ACL

There no use for the static if you don't deny it in he acl for the dynamic nat since it will then use the same dynamic adres(sen) to translate to the outside.

This is also needed for traffic initiated from the outside nat interface to be able to connect to the nat adress en thus be natted to the inside adres.

see also:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

289
Views
0
Helpful
2
Replies
CreatePlease to create content