nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Access list and Static NAT ?

Fyn

Hello there. If I have a router on which is applied a static NAT for the inside host A to reah the oustside networks and I want to deny outside hosts to reach host A which address im I supposed to add in the access list? The inside global or inside local? What is the differene?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

atorven

Create an ACL denying traffic matching the Outside global address(the address to which your private address is being translated to), don't forget that the outside hosts don't know anything about that internal(private) IP address that your assigning to the host, they only know that external (public) address.

Christopher Dobkowski

Fyn's right.

When you apply NAT to a network, no one can reach your PCs or other gear by its Private IP. The only IP that matters in your case is the Outside Global. The outside world, if it will ping the private IP of the device, it won't reply. If it'll ping the public IP, it will reply. So the example would be:

ip access-list 100 tcp deny any PublicIP

xXErebuS

Christopher Dobkowski wrote: »

Fyn's right.

When you apply NAT to a network, no one can reach your PCs or other gear by its Private IP. The only IP that matters in your case is the Outside Global. The outside world, if it will ping the private IP of the device, it won't reply. If it'll ping the public IP, it will reply. So the example would be:

ip access-list 100 tcp deny any PublicIP

This is the commonly accepted answer but is no longer true. You need to check your order of operations for your specific equipment, for example ASA 8.3+ code you would deny traffic based on inside local instead of global b/c NAT takes place before Inbound ACL.

pogue

Fyn,

Given xXErebus's post, from a knowledge perspective, you would be best served by labbing this very setup using two different access lists, one that blocks the public IP, one that blocks the private IP, and see which one works. Keep in mind, that you might be running an IOS version that works one way, and xXErebus's ASA works another way.

The difference between a paper CCNA and one is destined for greater things is whether or not that CCNA knows "how" things works, instead of just knowing what the commands are.

Russ