07-15-2003 11:48 AM - edited 02-20-2020 09:22 PM
I want to double check the following. On an interface that does NAT, access-list and firewall, what IP to block? NAT or NATed?
interface Serial0.500 point-to-point
ip address xxx
ip nat outside
no arp frame-relay
no cdp enable
frame-relay interface-dlci 500
ip access-group 101 in
ip inspect FWALL out
07-15-2003 03:11 PM
Hi,
You need to block the pre-natted ip address which would be your external public address.
Regards,
Mynul
07-16-2003 10:43 PM
Mynull, is it the pre-natted or the natted?
correct me if I am wrong, the access-list is process before the NAT.
The subinterface is the outside (ip nat outside) and the direction of the access-list is 'in'. Meaning all traffic that is being block by the ACL is the traffic coming into the interface going to the router. Since the interface is the outside, before the packets goes out of the interface, the Source address (SA) is translated by the router, therefore the return packet should have the translated IP address as the destination address. If the traffic is initiated from the outside, the DA should the translated address and the access-list should take effect first to filter the translated IP address
let me know if i'm wrong, i'm curious mate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide