View Full Version : ACL in NAT
Hi Lammle ,
In NAT ( dynamic and PAT) we actually write access lists but we we dont apply them on any interface. Do access list really mean without their application ? as we have studied access lists do not work without actually their application.
I would again appreciate your expert answer
08-01-2008, 11:38 AM
Yes your are correct.
First, you configure (type ) the ACL.
ex: access-list 1 permit 192.168.0.16 0.0.0.15
and your correct ( dont apply it to any interfaces)
with this command, the router actually makes the acl, but it doesnt run it. (but it is made an in the IOS)
now the NAT command actually tells the router to permit/deny the addresses based on the Access-list that was created.
Therefore the router will not compare address with the ACL as they enter or exit a interface. (hence, the acl wont be applied to an interface)
but the router will look at the interface to see if they are part of the inside or outside network. If its part of the outside network (interface subcommand - ip nat out) then the router will look at the NAT and ACL config
But when the router notices that a certain destination is towards a public network,(outside network. Hence the interface subcommand -ip nat outside) and that is needs to be translated into a public IP address, Then the Router will inspect the NAT command that was configured, and it will notice that the ACL is configured with the nat, so it will compare the IP address to The ACL, and determine if it can be translated or not.
access-list 1 permit 192.168.0.16 0.0.0.15
ip nat pool test 198.18.184.105 198.18.184.110 netmask 255.255.255.248
ip nat inside source list 1 pool test overload
and then configure your interface to tell the router if those interface are part of the inside network, or outside.
Many thanks for your detailed reply
08-01-2008, 02:41 PM
Good post lildeezul.:cool:
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.