Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

1600 nat, access list, firewall

roelfs
Level 1
Level 1

‎07-15-2003 11:48 AM - edited ‎02-20-2020 09:22 PM

I want to double check the following. On an interface that does NAT, access-list and firewall, what IP to block? NAT or NATed?

interface Serial0.500 point-to-point

ip address xxx

ip nat outside

no arp frame-relay

no cdp enable

frame-relay interface-dlci 500

ip access-group 101 in

ip inspect FWALL out

Labels:
0 Helpful
2 Replies 2

mhoda
Level 5
Level 5

‎07-15-2003 03:11 PM

Hi,

You need to block the pre-natted ip address which would be your external public address.

Regards,

Mynul

0 Helpful

benjamingarcia
Level 1
Level 1
In response to mhoda

‎07-16-2003 10:43 PM

Mynull, is it the pre-natted or the natted?

correct me if I am wrong, the access-list is process before the NAT.

The subinterface is the outside (ip nat outside) and the direction of the access-list is 'in'. Meaning all traffic that is being block by the ACL is the traffic coming into the interface going to the router. Since the interface is the outside, before the packets goes out of the interface, the Source address (SA) is translated by the router, therefore the return packet should have the translated IP address as the destination address. If the traffic is initiated from the outside, the DA should the translated address and the access-list should take effect first to filter the translated IP address

let me know if i'm wrong, i'm curious mate

0 Helpful
Customers Also Viewed These Support Documents