NAT and ACL

MikeyMays
MikeyMays used Ask the Experts™
on
I’m new to the Cisco ASA stuff I just wanted some clarification on this matter.
If you can define a NAT. What is the point in an ACL?
1. Is it for you to allow more control over NAT? Let’s say you wanted to block HTTPS on a certain web server would the ACL be the place to do it?
2. Instead of opening the whole range of protocols in NAT does an ACL give you the option to define what protocols should be open for that IP?
3. Does it allow you to define what source IP is allowed to access what protocol and ports?
So basically is an ACL for more “tweaking” what protocols and ports are open on a defined NAT?
I’m also under the assumption you can use an ACL for an interface to define a group of IP’s or networks.
Am I close or am I way off on my thinking? Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
1. it is possible if you configuring ACL:
http://www.petenetlive.com/KB/Article/0000054.htm
2. yes, with ACL to outside interface
http://www.petenetlive.com/KB/Article/0000077.htm
3. yes, with ACL to outside interface
http://www.petenetlive.com/KB/Article/0000077.htm

Commented:
Basically an ACL is  to filter packets per protocols, ports and  addresses. It's assigned per interface (in/out). You can define groups of protocols, ports and  addresses
NAT is to translate addresses and ports, not to filter. You can use ACL in NAT to filter what is being translated.
If you wnat to know what is done first on the router (filtering or translation->order of operation) see here http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Author

Commented:
OK so that's why NAT gives you the option of PAT in case you had a web server running on let's say 8080 you can accept connection on port 80 from the outside but once inside the firewall its translated to 8080 and according to the cisco link you provided me outside-inside the ACL would before NAT so let's say you had a group of outside computers with a static IP's you could allow only those computers to access the webs server instead of letting everyone. Thanks starting to make sense. So without an ACL does this mean you just let all protocols go through if you had only a NAT setup without a service?
Commented:
cisco NAT can translate addresses AND protocols. So for example you can translate  'protocol a address b' into 'protocol c address d'.  So only protocol a, not every protocol. In your example only 80 will be translated into 8080, not every port into 8080. So therotically you don't need ACL when NATing.

Author

Commented:
I wasnt too sure but its more clear now. Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial