Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4939
Views
0
Helpful
3
Replies

Can you use an Extended ACLs for NAT?

Go to solution
Guillermo Rodriguez
Level 1
Level 1

‎10-04-2013 08:47 PM - edited ‎03-04-2019 09:14 PM

I tried looking this up, but frankly I didn't know what to make of the results.

Someone designed a lab, they specified that they want to use NAT.

In the instructions:

Access-list 100 will be used for the permit statement for when you're dynamically assigning an address from the NAT pool.

My problem with this is that I'm under the impression that you can only use a Standard ACL for this.

Am I correct? Or am I overlooking something?

example:

ip nat pool POOL_NAME first-ip last-ip netmask x.x.x.x overload

access-list 1 permit (local IP network)

ip nat inside source list <1-99> pool POOL_NAME

I cannot see how this would work with an extended list considering that an extended ACL implies the need for a destination address of some sort or another.

Example:

access-list 100 permit ip (local net) (destination net)

This doesn't make any sense to me when it comes to NAT.

Help?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-05-2013 11:03 AM

Hi,

suppose you are using the same link for Internet access and for an IPSec VPN then you must deny the traffic using the VPN from being natted and in this case you must use an extended ACL like this:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

acces-list 101 permit ip 192.168.1.0 0.0.0.255 any

The first line denies VPN traffic between the LANs and the second permits the Internet destined traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎10-05-2013 05:01 AM

You can. It probably depends on the type of platform you're on, or IOS version:

R4(config)#ip nat inside source list ?

  <1-2699>  Access list number for local addresses

  WORD      Access list name for local addresses

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Guillermo Rodriguez
Level 1
Level 1
In response to John Blakley

‎10-05-2013 05:56 PM

Looks like I left out some critical information. The lab in question was directly related to VPNs, so thanks for throwing that response out there -- it really did come into place.

It makes sense to me know and I got some good knowledge out of it.

Thank you.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-05-2013 11:03 AM

Hi,

suppose you are using the same link for Internet access and for an IPSec VPN then you must deny the traffic using the VPN from being natted and in this case you must use an extended ACL like this:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

acces-list 101 permit ip 192.168.1.0 0.0.0.255 any

The first line denies VPN traffic between the LANs and the second permits the Internet destined traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card