When configuring Static and Dynamic NAT, i've always used an ACL to block off the statically used IP address from initiating dynamic NAT, i've been doing this cause i was told this is best practice, however i really dont know the reasoning behind it!!could some one point out some of cons on NOT using a ACL to block off the statically assigned address?i've configured the same setup with OUT the ACL and the routers seem to be running fine so far!any input would be appreciated(I've done a copy&Paste from one Cisco's docs here as well)
Thanks in advance for your time
ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0
ip nat inside source list 7 pool test
ip nat inside source static 10.10.10.1 172.16.131.1
interface e 0
ip address 10.10.10.254 255.255.255.0
ip nat inside
interface s 0
ip address 172.16.131.254 255.255.255.0
ip nat outside
access-list 7 deny host 10.10.10.1
access-list 7 permit 10.10.10.0 0.0.0.255
Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address, 10.10.10.1, from being able to generate NAT dynamically. This is necessary because the inside local address of 10.10.10.1 is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously.
I have also configured the router without the ACL for Static NAT assignments and works well just as in your case. The only CONS i see about preventing static assignment from trying to get a dynamic assignmnet would be more statements and maybe more processing on the router CPU although this may be negilible.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...