Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
sfarzin
sfarzin
Community Member
‎12-23-2003 08:28 AM
‎12-23-2003 08:28 AM

NAT and ACL

Hello

When configuring Static and Dynamic NAT, i've always used an ACL to block off the statically used IP address from initiating dynamic NAT, i've been doing this cause i was told this is best practice, however i really dont know the reasoning behind it!!could some one point out some of cons on NOT using a ACL to block off the statically assigned address?i've configured the same setup with OUT the ACL and the routers seem to be running fine so far!any input would be appreciated(I've done a copy&Paste from one Cisco's docs here as well)

Thanks in advance for your time

ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0

ip nat inside source list 7 pool test

ip nat inside source static 10.10.10.1 172.16.131.1

interface e 0

ip address 10.10.10.254 255.255.255.0

ip nat inside

interface s 0

ip address 172.16.131.254 255.255.255.0

ip nat outside

access-list 7 deny host 10.10.10.1

access-list 7 permit 10.10.10.0 0.0.0.255

Note: ACL 7 (access-list 7) in the above configuration denies the inside local address, which is used in the static nat command. This will prevent packets sourced from the inside local address, 10.10.10.1, from being able to generate NAT dynamically. This is necessary because the inside local address of 10.10.10.1 is already being used for static NAT. This practice should always be used when configuring static and dynamic NAT simultaneously.

0 Helpful
Reply
2 REPLIES
dathaide
dathaide
Community Member
‎12-23-2003 08:49 AM
‎12-23-2003 08:49 AM

Re: NAT and ACL

hi

I have also configured the router without the ACL for Static NAT assignments and works well just as in your case. The only CONS i see about preventing static assignment from trying to get a dynamic assignmnet would be more statements and maybe more processing on the router CPU although this may be negilible.

Just my 2 cents

0 Helpful
Reply
r.sneekes
r.sneekes
Community Member
‎12-24-2003 07:57 AM
‎12-24-2003 07:57 AM

Re: NAT and ACL

There no use for the static if you don't deny it in he acl for the dynamic nat since it will then use the same dynamic adres(sen) to translate to the outside.

This is also needed for traffic initiated from the outside nat interface to be able to connect to the nat adress en thus be natted to the inside adres.

see also:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

0 Helpful
Reply
Latest Documents
PFRv3 channel state questions
Created by Vasilii Mikhailovskii on 04-23-2018 05:06 AM
0
0
0
0
This document gives several answers on frequently asked questions for PFRv3 channel state behavior. Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st... view more
VPN and static NAT problem
Created by Jacopo Belcredi on 04-23-2018 04:07 AM
0
0
0
0
Symptoms The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921). The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN. I couldn't connect to the hos... view more
Cisco ESW-520-24P Switch Configuration
Created by Kevin DeMott on 04-19-2018 01:49 PM
0
0
0
0
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers.  When we try to change the wiring and configuration, we run in to connectivity issues.  Attached is a des... view more
All Documents
289
Views
0
Helpful
2
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
Glimpse of "EIGRP name mode configuration"
Created by ashirkar on 10-01-2013 02:06 AM
7
79
7
79
What happens, when router receives packet?
Created by ashirkar on 10-18-2012 03:19 AM
31
49
31
49
BLOG (No Title)
Created by Akula Jyoti Lakshmi on 08-09-2011 09:13 PM
15
43
15
43
All Blogs