Access list and Static NAT ?

FynFyn Registered Users Posts: 2 ■□□□□□□□□□
Hello there. If I have a router on which is applied a static NAT for the inside host A to reah the oustside networks and I want to deny outside hosts to reach host A which address im I supposed to add in the access list? The inside global or inside local? What is the differene?

Comments

  • atorvenatorven Member Posts: 319
    Create an ACL denying traffic matching the Outside global address(the address to which your private address is being translated to), don't forget that the outside hosts don't know anything about that internal(private) IP address that your assigning to the host, they only know that external (public) address.
  • Christopher DobkowskiChristopher Dobkowski Member Posts: 98 ■■□□□□□□□□
    Fyn's right.

    When you apply NAT to a network, no one can reach your PCs or other gear by its Private IP. The only IP that matters in your case is the Outside Global. The outside world, if it will ping the private IP of the device, it won't reply. If it'll ping the public IP, it will reply. So the example would be:

    ip access-list 100 tcp deny any PublicIP
  • xXErebuSxXErebuS Member Posts: 230
    Fyn's right.

    When you apply NAT to a network, no one can reach your PCs or other gear by its Private IP. The only IP that matters in your case is the Outside Global. The outside world, if it will ping the private IP of the device, it won't reply. If it'll ping the public IP, it will reply. So the example would be:

    ip access-list 100 tcp deny any PublicIP

    This is the commonly accepted answer but is no longer true. You need to check your order of operations for your specific equipment, for example ASA 8.3+ code you would deny traffic based on inside local instead of global b/c NAT takes place before Inbound ACL.
  • poguepogue Member Posts: 213
    Fyn,

    Given xXErebus's post, from a knowledge perspective, you would be best served by labbing this very setup using two different access lists, one that blocks the public IP, one that blocks the private IP, and see which one works. Keep in mind, that you might be running an IOS version that works one way, and xXErebus's ASA works another way.

    The difference between a paper CCNA and one is destined for greater things is whether or not that CCNA knows "how" things works, instead of just knowing what the commands are.

    Russ
    Currently working on: CCNA:Security
    Up next: CCNA:Voice
Sign In or Register to comment.