Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

1600 nat, access list, firewall

I want to double check the following. On an interface that does NAT, access-list and firewall, what IP to block? NAT or NATed?

interface Serial0.500 point-to-point

ip address xxx

ip nat outside

no arp frame-relay

no cdp enable

frame-relay interface-dlci 500

ip access-group 101 in

ip inspect FWALL out

2 REPLIES
Silver

Re: 1600 nat, access list, firewall

Hi,

You need to block the pre-natted ip address which would be your external public address.

Regards,

Mynul

Community Member

Re: 1600 nat, access list, firewall

Mynull, is it the pre-natted or the natted?

correct me if I am wrong, the access-list is process before the NAT.

The subinterface is the outside (ip nat outside) and the direction of the access-list is 'in'. Meaning all traffic that is being block by the ACL is the traffic coming into the interface going to the router. Since the interface is the outside, before the packets goes out of the interface, the Source address (SA) is translated by the router, therefore the return packet should have the translated IP address as the destination address. If the traffic is initiated from the outside, the DA should the translated address and the access-list should take effect first to filter the translated IP address

let me know if i'm wrong, i'm curious mate

226
Views
0
Helpful
2
Replies
CreatePlease to create content